On 09/09/16 00:32, Matt Palmer wrote: > On Thu, Sep 08, 2016 at 09:44:04AM -0700, Ryan Sleevi wrote: >> On Thursday, September 8, 2016 at 4:09:25 AM UTC-7, Rob Stradling wrote: >>>> 1. Enforce CT only after a certain date, after which WoSign will need >>>> to embed qualified SCTs. This check can be bypassed if the CA >>>> backdates certificates (which is problematic, given the history of >>>> backdating certificates in this particular case.) >>> >>> AIUI, Chrome doesn't currently consider the difference between the >>> certificate's notBefore date and the corresponding SCTs' timestamps when >>> evaluating whether or not the certificate is "CT qualified". >>> >>> To guard against backdating, ISTM that future versions of Chrome (and >>> hopefully Firefox too) could require, for certain CAs, that: >>> 1. The certificate MUST be "CT qualified". >>> and >>> 2. In addition to the standard requirements for being "CT qualified", >>> the SCT timestamps MUST be within N seconds of the certificate's >>> notBefore date. >> >> Without wanting to derail this thread with discussions of Chrome's CT >> implementations, to the point it's relevant to a Firefox implementation, >> this is something better as part of the monitoring ecosystem (and with a >> CA/B Forum Guideline) than as a client enforcement. > > I read Rob's proposal as one specifically for CAs under some sort of > "quintuple secret probation" arrangement, where there has been a history of > shenanigans with notBefore dates.
Yes, precisely that. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
