On 01/05/17 18:33, Alex Gaynor wrote: > One idea that occurred to me (maybe novel, though I doubt it), is requiring > mandatory _timely_ CT submission for intermediates/cross signatures. That > is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be > less than some period, perhaps 3 days. This would ensure rapid visibility > into important changes to the WebPKI.
Interesting idea. Thanks for suggesting it :-) So something like: Any certificate issued in Symantec's publicly-trusted hierarchies with the cA boolean set to TRUE in basicConstraints must be submitted to two public CT logs within 3 days of issuance. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy