On 14/10/16 02:20, Matt Palmer wrote: > Will there be any requirements around the qualification status of the logs, > or could anyone who wanted to be "nice" just stand up a log, and have these > CAs obtain precerts from them?
Log qualification is a Chrome concept - it means "suitable for being trusted by Chrome". When and if Firefox supports CT checking, we may also need our own list of qualified logs, which may or may not be related to the Chrome list, and we would have our own requirements for how many SCTs need to be included, which again may or may not be related to Chrome's requirements. But before those things happen, it seems inappropriate to me to place restrictions on the choice of CT server based on Chrome's log list. Google may do so, of course, but that's up to them. We do, of course, require that the CT server not be defective - i.e. not be proved to be evil :-) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
