Does Mozilla have a stated plan to include CT in its products? The issues Ben lists sound like reasonable concerns but it seems this is putting the cart before the horse. The linchpin of CT is being able to turn on hard-fail when the SCT is missing or doesn't agree with the logs--or whatever the case may be.
I promise you that CT hard-fail will never happen because it requires CA's to be competent (some of whom genuinely are) or end entity cert holders to be interested (some of whom genuinely are) or both. It's just not the reality when you have a massive and complicated website deployment that people can or will be interested. There are too many moving pieces as it is. Should Chrome activate hard-fail you will start to hear people say, "that site doesn't work on Chrome for some reason, just use Firefox or Safari or IE". Original Message From: Ryan Sleevi Sent: Tuesday, August 12, 2014 7:05 PM To: dev-security-policy@lists.mozilla.org Reply To: ryan-mozdevsecpol...@sleevi.com Subject: Chromium, EV, and CT I just wanted to alert members of this list of a discussion that has been started on Chromium's ct-policy@ mailing list regarding Chromium's policies for requiring EV certificates be logged in Certificate Transparency Logs. Ben Laurie has started a discussion at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_p8zRz5Em3s/2_0r4YjRQ8sJ about whether or not CAs should be permitted to redact domain names when logging certificates. As you can see from Ben's analysis of the Baseline Requirements and EV Guidelines, this may affect the ability of the public to ensure that CA's are conforming to the EV Guidelines, and thus rely on audits to ensure this. We welcome feedback from all parties, and are particularly interested to hear from those who would like to use the CT logs to better ensure compliance with Mozilla's policies and the competency of auditors, two very relevant discussions happening here. As it presently stands, Chromium's policy prevents such redactions. To help ensure everybody can participate, please avoid cross-posting, and instead comment on the original. Cheers! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
