On 03/01/2019 16:46, Kurt Roeckx wrote:
On 2019-01-03 16:25, Jakob Bohm wrote:
There is the date fields in the SubCA certificate itself, as well as any
embedded CT data (assuming the parent CA is correctly CT-logged).
Do you expect precertificates for CA certificates?
I currently don't know if there are any requirements for logging CA
certificates in CT. I assume it was only for subscriber certificates,
but I didn't check what Google's current policy is. So it's possible
that a CA certificate is only be logged the first time a subscriber
certificate is generated.
Again, this is e-mail reminder is only useful in cases where the CA
gave a good opportunity for early enough detection. CT logging with or
without CT-logged precertificates is something that a CA might automate
as part of their scripted root key usage ceremony, unlike uploading a
copy of the certificate to a SalesForce hosted web site (I would
consider it prudent to keep public Internet web browsers outside the
secure cage where the root key is accessed).
Even if the SubCA itself is not CT logged, some of the related
technical certificates might be.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
