On 4 November 2016 at 07:19, Gervase Markham <g...@mozilla.org> wrote: > * How do we decide when to un-trust a log? What reasons are valid > reasons for doing so?
Do we want different types of distrust for a log? That is, a "We don't trust you at all anymore" distrust vs a "We don't trust signatures issued after this date" distrust. > * Do we want to require a certain number of SCTs for certificates of > particular validity periods? Do we want to trest different types of SCTs differently for this purpose? (precert vs OCSP vs TLS Extension.) > * Do we want to allow some CAs to opt into CT before those dates? Do we want to allow some websites to opt into CT before those dates? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
