On 2016-10-14 10:19, Nick Lamb wrote:
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I don't think Mozilla has declared any specific requirements, but presumably
they would expect to choose the same or similar criteria as Google's Chrome
which you're already aware of but I'll link for anybody else
https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy
For the immediate purpose here (allowing broad oversight over what the new CA is
issuing) some of these criteria are less important, e.g. the >99% uptime may be
less important because oversight would be done via a monitor, but Mozilla intends
to add SCT-checking to Firefox, at which point all the criteria will be important.
I think the 99% uptime is important. They need to be able to submit new
certificates to it. This is clearly needed if embedding the SCTs is
required. But I guess it's more important to the CA in that case than it
is to Mozilla.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
