It appears that Firefox has a 12-week time-gate on enforcement: https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/certverifier/CertVerifier.cpp#L241 https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/ct/CTKnownLogs.h#L17 https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/taskcluster/docker/periodic-updates/scripts/getCTKnownLogs.py#L228-L230
This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues, assuming CAs are looking at Apple and Google's "Usable" state only. I think in practice logs are "usable" well in advance of their submission windows, so this may cause a tricky-to-diagnose edge case for Firefox users that only happens rarely. On Wed, Oct 16, 2024 at 6:27 AM 'Rob Stradling' via [email protected] <[email protected]> wrote: > If I understand correctly from Bug 1921525 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1921525>, CT enforcement > just landed in Firefox Nightly. Congratulations, Mozilla team! I have > questions though... > > Am I correct that Firefox Nightly is currently using this hard-coded log > list > <https://github.com/mozilla/gecko-dev/blob/master/security/ct/CTKnownLogs.h>, > meaning that log list changes will be tied to browser releases? > If so, may I ask if Mozilla plans to implement a dedicated log list update > mechanism, perhaps based on a JSON feed as both Chrome > <https://www.gstatic.com/ct/log_list/v3/log_list.json> and Apple > <https://valid.apple.com/ct/log_list/current_log_list.json> have done? > > Does Mozilla have a CT Policy yet? This wiki page > <https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency> from > 2015 is the only documentation I could find. > > Does Mozilla have a CT Log Policy yet? > > Chrome is working towards > <https://groups.google.com/a/chromium.org/g/ct-policy/c/W7OSO3SbrFo/m/S2XyhXx_AAAJ> > allowing > static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do > the same? > > -- > Rob Stradling > Distinguished Engineer > Sectigo Limited > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com.
