If I understand correctly from Bug 1921525<https://bugzilla.mozilla.org/show_bug.cgi?id=1921525>, CT enforcement just landed in Firefox Nightly. Congratulations, Mozilla team! I have questions though...
Am I correct that Firefox Nightly is currently using this hard-coded log list<https://github.com/mozilla/gecko-dev/blob/master/security/ct/CTKnownLogs.h>, meaning that log list changes will be tied to browser releases? If so, may I ask if Mozilla plans to implement a dedicated log list update mechanism, perhaps based on a JSON feed as both Chrome<https://www.gstatic.com/ct/log_list/v3/log_list.json> and Apple<https://valid.apple.com/ct/log_list/current_log_list.json> have done? Does Mozilla have a CT Policy yet? This wiki page<https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency> from 2015 is the only documentation I could find. Does Mozilla have a CT Log Policy yet? Chrome is working towards<https://groups.google.com/a/chromium.org/g/ct-policy/c/W7OSO3SbrFo/m/S2XyhXx_AAAJ> allowing static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do the same? -- Rob Stradling Distinguished Engineer Sectigo Limited -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com.
