WoSign is volunteering to "Require CT", see this: https://bugs.chromium.org/p/chromium/issues/detail?id=626338
And we even plan to log code signing certificate and client certificate in the future once our system upgrade is ready. We think CT is a good solution for any mis-issued problem. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Hanno B?ck Sent: Thursday, September 1, 2016 3:07 PM To: [email protected] Subject: Re: Sanctions short of distrust On Wed, 31 Aug 2016 12:43:38 -0700 (PDT) Nick Lamb <[email protected]> wrote: > 1. Implement "Require SCTs" for problematic CAs. Notify the CA they > are obliged to CT log all certificates, inform subscribers etc. or > their subscriber's certificates will suddenly be invalid in Firefox > from some future date. I think this is generally a very good thing, because CT has uncovered a lot of CA-badness in the past. I'm happy to see that Wosign is going down that route (not sure if someone forced them to do or if they did this voluntarily, but it seems like the right step). I'd like to propose another feature that one could ask "problematic" CAs to implement: CAA. It's a relatively simple thing: A domain owner has a DNS record that says which CAs he wants to be allowed to issue certs. Good thing: Can be easily tested by others whether a CA implements it and it may reduce misissuances. I'm inclined to say every CA should implement CAA, but it seems last time this was discussed in the CA/Browser-Forum they agreed to make this a SHOULD, not a MUST. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
