On Thu, Sep 08, 2016 at 09:44:04AM -0700, Ryan Sleevi wrote: > On Thursday, September 8, 2016 at 4:09:25 AM UTC-7, Rob Stradling wrote: > > > 1. Enforce CT only after a certain date, after which WoSign will need > > > to embed qualified SCTs. This check can be bypassed if the CA > > > backdates certificates (which is problematic, given the history of > > > backdating certificates in this particular case.) > > > > AIUI, Chrome doesn't currently consider the difference between the > > certificate's notBefore date and the corresponding SCTs' timestamps when > > evaluating whether or not the certificate is "CT qualified". > > > > To guard against backdating, ISTM that future versions of Chrome (and > > hopefully Firefox too) could require, for certain CAs, that: > > 1. The certificate MUST be "CT qualified". > > and > > 2. In addition to the standard requirements for being "CT qualified", > > the SCT timestamps MUST be within N seconds of the certificate's > > notBefore date. > > Without wanting to derail this thread with discussions of Chrome's CT > implementations, to the point it's relevant to a Firefox implementation, > this is something better as part of the monitoring ecosystem (and with a > CA/B Forum Guideline) than as a client enforcement.
I read Rob's proposal as one specifically for CAs under some sort of "quintuple secret probation" arrangement, where there has been a history of shenanigans with notBefore dates. In that circumstance, as a proactive enforcement mechanism, it makes a certain degree of sense. Post-hoc detection through CT logs is without value for such CAs; the reason they're on probation is because they've got too many customers to just pull the root and ship a valid certs whitelist, so if further shenanigans is detected via CT, what recourse is there available? Revocation is off the table, because it's under the CA's control, and we've seen recent examples of revocation equivocation from CAs. Therefore, proactive enforcement of standards on a cert-by-cert basis is, as far as I can tell, about all there is left. Do you see things differently? - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
