On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > We recently added two tests that CAs must perform and resolve errors for > when they are requesting to enable the Websites trust bit for their root > certificate. > > Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the > root certificate. Then click on the 'Search' button. Then click on the 'Run > cablint' link. All errors must be resolved/fixed.
Kathleen, As I understand it, the currently policy for most CT logs (which is where crt.sh gets data) is that the root must already be in a root program (Apple, Google Android/Chrome OS, Microsoft, or Mozilla) or cross-signed by a root in those programs to be included in the log. Therefore I think it is reasonable to expect that new roots are not included in crt.sh. I'm assuming the second test checks the uploaded root certificate, so that should be sufficient for testing. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
