On 02/09/16 21:04, Patrick Figel wrote: <snip> > I believe there are two possible solutions if CT enforcement is what the > community decides on: > > 1. Enforce CT only after a certain date, after which WoSign will need > to embed qualified SCTs. This check can be bypassed if the CA > backdates certificates (which is problematic, given the history of > backdating certificates in this particular case.)
AIUI, Chrome doesn't currently consider the difference between the certificate's notBefore date and the corresponding SCTs' timestamps when evaluating whether or not the certificate is "CT qualified". To guard against backdating, ISTM that future versions of Chrome (and hopefully Firefox too) could require, for certain CAs, that: 1. The certificate MUST be "CT qualified". and 2. In addition to the standard requirements for being "CT qualified", the SCT timestamps MUST be within N seconds of the certificate's notBefore date. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
