On 2016-10-14 10:19, Nick Lamb wrote:
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer  wrote:
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?


I don't think Mozilla has declared any specific requirements, but presumably 
they would expect to choose the same or similar criteria as Google's Chrome 
which you're already aware of but I'll link for anybody else

https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy

For the immediate purpose here (allowing broad oversight over what the new CA is 
issuing) some of these criteria are less important, e.g. the >99% uptime may be 
less important because oversight would be done via a monitor, but Mozilla intends 
to add SCT-checking to Firefox, at which point all the criteria will be important.

I think the 99% uptime is important. They need to be able to submit new certificates to it. This is clearly needed if embedding the SCTs is required. But I guess it's more important to the CA in that case than it is to Mozilla.


Kurt


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to