On Wed, 31 Aug 2016 12:43:38 -0700 (PDT) Nick Lamb <[email protected]> wrote:
> 1. Implement "Require SCTs" for problematic CAs. Notify the CA they > are obliged to CT log all certificates, inform subscribers etc. or > their subscriber's certificates will suddenly be invalid in Firefox > from some future date. I think this is generally a very good thing, because CT has uncovered a lot of CA-badness in the past. I'm happy to see that Wosign is going down that route (not sure if someone forced them to do or if they did this voluntarily, but it seems like the right step). I'd like to propose another feature that one could ask "problematic" CAs to implement: CAA. It's a relatively simple thing: A domain owner has a DNS record that says which CAs he wants to be allowed to issue certs. Good thing: Can be easily tested by others whether a CA implements it and it may reduce misissuances. I'm inclined to say every CA should implement CAA, but it seems last time this was discussed in the CA/Browser-Forum they agreed to make this a SHOULD, not a MUST. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpRMQhIqeyQ1.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
