On 02/04/2018 18:26, Tom Delmas wrote:
Following the discussion on
https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394
What is the position of Mozilla about the submission to ct-logs of the
final certificate when there is already a pre-certificate?
As it helps discover bugs (
https://twitter.com/_quirins/status/979788044994834434 ), it helps
accountability of CAs and it's easily enforceable, I feel that it should
be mandatory.
If such a policy were to be enacted, an alternative to submitting the
final certificate should be to revoke the certificate in both a
published CRL and in OCSP. It would be counter to security to require
issuance in the few cases where misissuance is detected between CT
Pre-cert logging and actual issuance.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy