在 2016年11月4日星期五 UTC+8下午8:20:11,Gervase Markham写道: > CT is coming to Firefox. As part of that, Mozilla needs to have a set of > CT policies surrounding how that will work. Like our root inclusion > program, we intend to run our CT log inclusion program in an open and > transparent fashion, such that the Internet community can see how it > works and how decisions are made. (It is quite possible that, like our > root program, other entities without the resources to run their own > programs might adopt our decisions.) > > This policy will need to consider at least the following questions. The > point of this posting is to gather more _questions_, not to work out the > answers. In other words, I am trying to work out the scope of the > policy, not what the policy will be. > > So, please add comments with additional _questions_ you think the policy > will need to address. What the answers should be is (for now) off-topic. > > Questions I have so far: > > * How do we decide which logs to trust? > > * Do we have requirements for uptime? > * Do we have requirements for certs accepted? > * Do we have requirements for the MMD? > > * How do we decide when to un-trust a log? What reasons are valid > reasons for doing so? > > * Do we want to put monitoring in place to ensure our log quality or > uptime requirements are met? > > * Are there any CT-related services Mozilla should consider running or > supporting, for the good of the ecosystem? > > * Do we want to require a certain number of SCTs for certificates of > particular validity periods? > > * Do we want the Google/non-Google diversity requirement? Or any other > diversity reqirement? > > * Which certs, if any, should we require CT for, and when? > > * Do we want to allow some CAs to opt into CT before those dates? > > * Do we want to require some CAs to do CT before those dates? > > Gerv
1. What will happen if CT validation failed? Can we add a security excpetion about this? 2. Is SLA required for Mozilla chosen CT operator? 3. If CT is required, can we request a CT embedded certificate from CAs because some webserver don't support TLS extension. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy