On 14/10/16 15:46, Gervase Markham wrote: > On 14/10/16 11:37, Rob Stradling wrote: >> Sure, but aren't we talking about specifying criteria for which log(s) >> StartCom/WoSign _can't_ use in future? >> >> If Mozilla would prefer to forbid StartCom/WoSign from using their own >> or each other's logs, then ISTM that it would be best to specify >> criteria that is conditional on the future state of the CT ecosystem: >> e.g., "StartCom/WoSign must not use their own or each other's logs, >> unless no other browser-accepted log accepts their roots" > > I think the rule we are putting in place is that: "StartCom/WoSign > SHOULD NOT fulfil the non-Google log requirement by using logs that they > run themselves. For as long as they do so, they will need to demonstrate > ongoing evidence of efforts to get other logs to take their volume, and > why those efforts have not been successful." > > Is that better?
SGTM. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
