> As a CT log operator, do I need to begin submitting my new logs to Firefox, or will you take logs from the other programs? > As a CA, do you have a list of supported logs that we can validate against?
Currently Firefox derives the list of trusted logs from Google's list: https://www.gstatic.com/ct/log_list/v3/log_list.json Should this ever change, we'll give plenty of notice. To see what logs are in a particular version of Firefox, you can examine the history of https://searchfox.org/mozilla-central/source/security/ct/CTKnownLogs.h On Tue, Feb 4, 2025 at 1:05 PM Matthew McPherrin <[email protected]> wrote: > Congratulations! > > As a CT log operator, do I need to begin submitting my new logs to > Firefox, or will you take logs from the other programs? > As a CA, do you have a list of supported logs that we can validate against? > > Thanks, > > Matthew McPherrin > Let's Encrypt SRE > > On Tuesday, February 4, 2025 at 2:54:28 PM UTC-5 Dana Keeler wrote: > >> Hi folks, >> >> Certificate Transparency is an important part of the web PKI that enables >> the detection of misissued certificates. Starting in Firefox 135, >> Certificate Transparency is now enforced on all desktop platforms. This >> means that Firefox now requires that TLS web server certificates issued >> from roots in Mozilla's Root CA program be accompanied by sufficient >> Certificate Transparency information (essentially, 2 SCTs) in order for TLS >> connections to succeed. Otherwise, Firefox will show the error " >> MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY". >> >> In practice, this should require no particular changes on the part of >> website operators. If your site works in Chrome and Safari, it should work >> in Firefox as well. However, if you were making use of policies to exempt >> certain internal certificates or domains from CT, you will need to apply >> those policies to Firefox as well. See >> https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies >> >> If you encounter any issues, please let us know or file a bug directly: >> https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM >> >> Thank you, >> Dana >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAHP1u2jwNWxqMcwazfYOsq6gieSxT3PVO0Q6J8RE5vpafpWOmA%40mail.gmail.com.
