On Tue, Jun 09, 2015 at 12:00:23PM -0700, Rick Andrews wrote:
> On Tuesday, June 9, 2015 at 7:45:05 AM UTC-7, Kurt Roeckx wrote:
> > On 2015-06-09 15:26, Peter Kurrasch wrote:
> > > 3) How frequently might such tools run? Or to put it differently, how
> > > much time do I probably have between when I issue a gmail cert and when
> > > someone figures it out (and of course how much longer before my
> > > illegitimate cert is no longer valid)? I need only 24 hours to do all the
> > > damage I want, but in a pinch I'll make do with 8.
> >
> > CT allows to store precertificate. That is, the CA says it intents to
> > issue a certificate. Should we mandate the use of precertificates and a
> > minimum time between the precertificate and the real certificate?
>
> Absolutely not. If a CA is unable to get the required minimum number of
> SCTs, it will likely not issue the cert (sure, it may retry, but it's
> possible that retries fail too). Logging must be seen as intent, but not
> a guarantee of issuance.
A minimum time doesn't imply a maximum (or, rather, a finite maximum). From
your perspective, I'd object on another basis: any non-trivial delay in
issuance degrades the user experience of those acquiring certificates. As a
consumer of CA services, I wouldn't want to have to wait (say) 3 days to get
my DV cert, just because of CT requirements.
- Matt
--
Advocating Object-Oriented Programming is like advocating Pants-Oriented
Clothing.
-- Jacob Gabrielson
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
