On 14/10/16 11:37, Rob Stradling wrote: > Sure, but aren't we talking about specifying criteria for which log(s) > StartCom/WoSign _can't_ use in future? > > If Mozilla would prefer to forbid StartCom/WoSign from using their own > or each other's logs, then ISTM that it would be best to specify > criteria that is conditional on the future state of the CT ecosystem: > e.g., "StartCom/WoSign must not use their own or each other's logs, > unless no other browser-accepted log accepts their roots"
I think the rule we are putting in place is that: "StartCom/WoSign SHOULD NOT fulfil the non-Google log requirement by using logs that they run themselves. For as long as they do so, they will need to demonstrate ongoing evidence of efforts to get other logs to take their volume, and why those efforts have not been successful." Is that better? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
