Thank you everyone for your interest! On Wed, Oct 16, 2024 at 3:27 AM 'Rob Stradling' via [email protected] <[email protected]> wrote:
> If I understand correctly from Bug 1921525 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1921525>, CT enforcement > just landed in Firefox Nightly. Congratulations, Mozilla team! I have > questions though... > > Am I correct that Firefox Nightly is currently using this hard-coded log > list > <https://github.com/mozilla/gecko-dev/blob/master/security/ct/CTKnownLogs.h>, > meaning that log list changes will be tied to browser releases? > Yes, that is currently the case. > If so, may I ask if Mozilla plans to implement a dedicated log list update > mechanism, perhaps based on a JSON feed as both Chrome > <https://www.gstatic.com/ct/log_list/v3/log_list.json> and Apple > <https://valid.apple.com/ct/log_list/current_log_list.json> have done? > We are considering such a mechanism. > Does Mozilla have a CT Policy yet? This wiki page > <https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency> from > 2015 is the only documentation I could find. > Currently our CT Policy is equivalent to Chrome's (and is thus compatible with Apple's). That wiki page is very out-of-date and will be updated. > > Does Mozilla have a CT Log Policy yet? > Mozilla does not yet have a CT Log Policy. The implementation currently considers logs acceptable in Chrome to be acceptable in Firefox. We may develop a more formal position in the future. > > Chrome is working towards > <https://groups.google.com/a/chromium.org/g/ct-policy/c/W7OSO3SbrFo/m/S2XyhXx_AAAJ> > allowing > static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do > the same? > If it becomes clear that supporting static-ct-api logs is necessary to interoperate, we will probably allow them as well. On Wed, Oct 16, 2024 at 1:30 PM Ryan Hurst <[email protected]> wrote: > I agree. Unfortunately, an extension of this period essentially slows down > the agility of the CT ecosystem. I hope the implementers of this work sync > with the Chrome and Apple teams to understand the reasons behind some of > their implementation behaviors so they can be taken into consideration. For > example, I believe both turn off CT enforcement after some time due to past > issues. Regardless, I am happy to finally see this work proceed and wish > the Mozilla team success in this journey. > > On Wed, Oct 16, 2024 at 10:22 AM 'Matthew McPherrin' via > [email protected] <[email protected]> wrote: > >> It appears that Firefox has a 12-week time-gate on enforcement: >> >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/certverifier/CertVerifier.cpp#L241 >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/ct/CTKnownLogs.h#L17 >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/taskcluster/docker/periodic-updates/scripts/getCTKnownLogs.py#L228-L230 >> >> This is two weeks longer than Chrome's 70 day enforcement gate, which >> seems like it could potentially cause issues, assuming CAs are looking at >> Apple and Google's "Usable" state only. I think in practice logs are >> "usable" well in advance of their submission windows, so this may cause a >> tricky-to-diagnose edge case for Firefox users that only happens rarely. >> > Yes, one would hope that we wouldn't negatively impact the agility of the ecosystem. I'm sure we can find a way to rectify this misalignment. On Wed, Oct 16, 2024 at 1:30 PM Ryan Hurst <[email protected]> wrote: > I agree. Unfortunately, an extension of this period essentially slows down > the agility of the CT ecosystem. I hope the implementers of this work sync > with the Chrome and Apple teams to understand the reasons behind some of > their implementation behaviors so they can be taken into consideration. For > example, I believe both turn off CT enforcement after some time due to past > issues. Regardless, I am happy to finally see this work proceed and wish > the Mozilla team success in this journey. > > On Wed, Oct 16, 2024 at 10:22 AM 'Matthew McPherrin' via > [email protected] <[email protected]> wrote: > >> It appears that Firefox has a 12-week time-gate on enforcement: >> >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/certverifier/CertVerifier.cpp#L241 >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/ct/CTKnownLogs.h#L17 >> >> https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/taskcluster/docker/periodic-updates/scripts/getCTKnownLogs.py#L228-L230 >> >> This is two weeks longer than Chrome's 70 day enforcement gate, which >> seems like it could potentially cause issues, assuming CAs are looking at >> Apple and Google's "Usable" state only. I think in practice logs are >> "usable" well in advance of their submission windows, so this may cause a >> tricky-to-diagnose edge case for Firefox users that only happens rarely. >> >> >> >> On Wed, Oct 16, 2024 at 6:27 AM 'Rob Stradling' via >> [email protected] <[email protected]> wrote: >> >>> If I understand correctly from Bug 1921525 >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1921525>, CT enforcement >>> just landed in Firefox Nightly. Congratulations, Mozilla team! I have >>> questions though... >>> >>> Am I correct that Firefox Nightly is currently using this hard-coded >>> log list >>> <https://github.com/mozilla/gecko-dev/blob/master/security/ct/CTKnownLogs.h>, >>> meaning that log list changes will be tied to browser releases? >>> If so, may I ask if Mozilla plans to implement a dedicated log list >>> update mechanism, perhaps based on a JSON feed as both Chrome >>> <https://www.gstatic.com/ct/log_list/v3/log_list.json> and Apple >>> <https://valid.apple.com/ct/log_list/current_log_list.json> have done? >>> >>> Does Mozilla have a CT Policy yet? This wiki page >>> <https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency> from >>> 2015 is the only documentation I could find. >>> >>> Does Mozilla have a CT Log Policy yet? >>> >>> Chrome is working towards >>> <https://groups.google.com/a/chromium.org/g/ct-policy/c/W7OSO3SbrFo/m/S2XyhXx_AAAJ> >>> allowing >>> static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do >>> the same? >>> >>> -- >>> Rob Stradling >>> Distinguished Engineer >>> Sectigo Limited >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwbmxGTVJJVciThB5d25sGP62hOTVAmjcRU3rpWGcH7Bcg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwbmxGTVJJVciThB5d25sGP62hOTVAmjcRU3rpWGcH7Bcg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAHP1u2iC8KeSQisraUn277MNmuR_P7z%2B0vSAEkeq8kVmHr9dGg%40mail.gmail.com.
