It is a separate discussion. I wanted only some sort of statement from Mozilla about time frames and anticipated functionalities, if there are any.
If the scope of CT is being narrowed to focus only on the use of log files as an auditing and compliance facility, that is something even I might agree with. As scoped out in RFC 6962, however, I would say the benefit to having CT in the browser is not even close to being an obvious win because the real world is not even close to the perfect world. There are just too many gaps. But, as you point out, no one at Google is interested in stopping just because I see its impact as falling short of the dream. I accept that. Original Message From: Ryan Sleevi Sent: Tuesday, August 12, 2014 9:06 PM To: fhw...@gmail.com Reply To: ryan-mozdevsecpol...@sleevi.com Cc: dev-security-policy@lists.mozilla.org Subject: Re: Chromium, EV, and CT On Tue, August 12, 2014 6:49 pm, fhw...@gmail.com wrote: > Does Mozilla have a stated plan to include CT in its products? This is a separate discussion, and doesn't affect the ability of Mozilla using of CT logs to detect violations of Mozilla's inclusion policy. Obviously, CT in the client would be a win, but I think that even without such a plan in place, the CT logs provide a valuable tool in ensuring compliance, something that's unfortunately been lacking. > The issues Ben lists sound like reasonable concerns but it seems this is > putting the cart before the horse. The linchpin of CT is being able to > turân on hard-fail when the SCT is missing or doesn't agree with the > logs--or whatever the case may be. > > I promise you that CT hard-fail âwill never happen because it requires > CA's to be competent (some of whom genuinely are) or end entity cert > holders to be interested (some of whom genuinely are) or both. It's just > not the reality when you have a massive and complicated website deployment > that people can or will be interested. There are too many moving pieces as > it is. > â > Should Chrome activate hard-fail you will start to hear people say, "that > site doesn't work on Chrome for some reason, just use Firefox or Safari or > IE". As always, we welcome your feedback. However, this doesn't seem to relevant to the question/discussion at hand, nor does your potential future meaningfully affect the factors that weighing CT implementation. As it stands, both Mozilla Firefox and Google Chrome have shown that it is possible to improve the CA ecosystem over time, and with appropriate signals. Similarly, other efforts, such as http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html or new features such as ServiceWorker http://jakearchibald.com/2014/service-worker-first-draft/ , and normative requirements such as http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-9.2 , show that there are still opportunities to help encourage sites to adopt stronger security practices. However, that's all neither here nor there. This isn't and wasn't a post about hard-fail CT, but how CT can help Mozilla better regulate it's policies, and the interest in the community of being able to freely and transparently audit CAs to such conformance. Thus assume, if you will, a "perfect" world where CT was required and embraced by CAs. Would we want these features? Whether yea or nay, best to answer on ct-policy@. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
