On 05/19/2017 10:25 AM, Gervase Markham wrote: > Embedding SCTs is not the only way SCTs can be delivered - they can come > in the SSL handshake or via OCSP. Requiring them to be embedded does > have the advantage that certificates now carry an unforgeable timestamp, > and it was something I proposed in a version of Mozilla's now-dormant CT > policy. But for various reasons, it's not necessarily practical to > require it in all circumstances (which is why the CT RFC defines > multiple mechanisms). > > Firefox does have some support for checking SCT presence and validity, > but it's not turned on. >
My concern here is right now, we're trying to rebuild trust for Symantec. We're very much in a "trust but verify" sorta thing, and I don't think it's an unjustified requirement to do so. I think CT is about the only thing that has allowed us to reasonably consider keeping Symantec in the root store at all. However, for Mozilla's purposes, is there a case where having a SCT in certificate would either break something, or otherwise be undesirable? Well, at least with the current state of webpki, mandating an embedded SCT is probably not practical for everyone. I actually forgot about the OCSP stapling mechanism for SCTs, though my concern here is not everyone turns on OCSP stapling. Since both OCSP CT stapling and embedded SCTs require that the cert be submitting to a log at issuance, part of me wonders if the right middle ground is this: As far as I know, I think Microsoft's IIS is the only major web server that turns OCSP stapling on out of the box. - By default, Symantec shall issue certificates with embedded SCTs (soft-fail for failure to validate SCT information) - If, due to customer demand, a certificate with an embedded SCT can not be used, said certificate must get the SCT information by a stapled OCSP response or via TLS extension to be trusted by Mozilla. (hard-fail) This should cover the general case fairly well, and for the edge cases, well either its for a special class of device that we don't care about, or the customer has to do some work to get things working in Mozilla. Or in other words, if there's a case where an embedded SCT can't fly here, then we mandate that one of the other two validation options must be present for things to fly. That being said, for my personal knowledge, I'd love to know more on the real world practicalities of embedding SCTs. Thanks for your feedback. >>> Are there any RA's left for Symantec? Following up to this, the question that I should have asked is who can technically do an issuance of certificates based on Symantec's roots. SSP customers are a recent discovery. I wonder if there's anything else. Michael _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy