Hey list, Here are some suggestions:
Should we define log algorithm/key requirements (hashing algorithms (relevant with RFC6962-bis), asymmetric key type and length)? Should we define a maximum threshold on log response delay to queries? (e.g. is it acceptable for a log to answer to queries with a delay of tens of seconds or even minutes?) Should we authorize log trust anchor list variations? If so, should variations have to be publicly disclosed? Should we authorize removal of trust anchors? Should a log be authorized to reject add-chain calls when under stress? Should we limit how often this happens? Should we want to restrict the protocol version and cipher suites that are supported by the log HTTPs endpoints? Cheers, Florian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy