* Daniel Micay: > These rules would be a lot more meaningful if any new additions to the > trust store were required to have Certificate Transparency implemented > for the sake of auditing, along with a deadline for other CAs to put it > in place. CT would have meant this was trivially caught *much* earlier > by security researchers.
That depends on how many legitimate gmail.com certificates are out there. Organizations struggle to keep track of their own certificates. It's difficult to see how relative outsiders (and most “security researchers” are) can cope with that, except by raising an alarm about everything they see (which is not generally helpful). There's also an ongoing effort to defang CT and make the data much less useful, so CT could turn meaningless fairly soon. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
