On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: > 5. 100% embedded CT for all issued certificates, with embedded SCTs from > at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the qualification status of the logs, or could anyone who wanted to be "nice" just stand up a log, and have these CAs obtain precerts from them? - Matt -- Yes, Java is so bulletproofed that to a C programmer it feels like being in a straightjacket, but it's a really comfy and warm straightjacket, and the world would be a safer place if everyone was straightjacketed most of the time. -- Mark 'Kamikaze' Hughes _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
