On 14/10/16 10:50, Gervase Markham wrote: > On 14/10/16 10:41, Rob Stradling wrote: >> Gerv, does Mozilla need to make a final decision on this point immediately? >> >> I very much hope that there will be more CT logs by the time StartCom >> and/or WoSign are readmitted into Mozilla's trust list. Why not delay >> making this decision until nearer that time? > > We don't have to make a decision, in that we are not going to mandate a > particular log. We have just set some criteria. If those criteria are > easier to meet by the time StartCom/WoSign have to meet them, then great > :-)
Sure, but aren't we talking about specifying criteria for which log(s) StartCom/WoSign _can't_ use in future? If Mozilla would prefer to forbid StartCom/WoSign from using their own or each other's logs, then ISTM that it would be best to specify criteria that is conditional on the future state of the CT ecosystem: e.g., "StartCom/WoSign must not use their own or each other's logs, unless no other browser-accepted log accepts their roots" If the criteria can't be conditional, then I think you'd end up with... "StartCom/WoSign may use their own logs forever, because there was a dearth of any other non-Google logs available to them in October 2016" ...that is, unless you say... "StartCom/WoSign must not use their own or each other's logs. This policy may be revised in the future". -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy