On 03/09/2016 01:23, Matt Palmer wrote:
On Fri, Sep 02, 2016 at 11:19:11AM +0100, Gervase Markham wrote:
On 31/08/16 20:43, Nick Lamb wrote:
>>> ...
>> ...
> ...
1. Implement "Require SCTs" for problematic CAs. Notify the CA they
are obliged to CT log all certificates, inform subscribers etc. or
their subscriber's certificates will suddenly be invalid in Firefox
from some future date.
This is not currently possible in Firefox, as Firefox does not have the
ability to check SCTs. We hope to have that ability soon.
Even if Firefox was checking SCTs, as another poster said, if practically
every site needs to reconfigure themselves to deal with this, we may as well
just pull the root. Heck, getting a cert from somewhere else is almost
certainly *less* hassle than setting up SCT-embedded OCSP stapling or SCTs
in the TLS handshake. As far embedding SCTs in the certs, I thought the
plan was to have the problematic CA *not* issue more certs...
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
