On 2016-10-14 03:20, Matt Palmer wrote:
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
5. 100% embedded CT for all issued certificates, with embedded SCTs from
at least one Google and one non-Google log not controlled by the CA.

Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?

I would suggest to use the same qualification criteria as Google uses for Chromium (https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy).

The requirement are otherwise more strict that what Chromium uses, it does not require them to be embedded, and they can operate the log themselves. See https://www.chromium.org/Home/chromium-security/root-ca-policy/CTPolicyMay2016edition.pdf


dev-security-policy mailing list

Reply via email to