On 2016-10-14 03:20, Matt Palmer wrote:
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
5. 100% embedded CT for all issued certificates, with embedded SCTs from
at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I would suggest to use the same qualification criteria as Google uses
The requirement are otherwise more strict that what Chromium uses, it
does not require them to be embedded, and they can operate the log
dev-security-policy mailing list