On 13/10/16 20:52, Gervase Markham wrote: <snip> > StartCom/WoSign have indicated ro me that they may have trouble > complying with the non-Google log requirement because it's hard to find > a non-Google log which can scale sufficiently. I suggest we allow them > some leeway on this but they need to demonstrate evidence of efforts to > meet the requirement.
Gerv, does Mozilla need to make a final decision on this point immediately? I very much hope that there will be more CT logs by the time StartCom and/or WoSign are readmitted into Mozilla's trust list. Why not delay making this decision until nearer that time? Alternatively, why not just rely on the mechanisms built into CT for detecting log misbehaviour? ;-) > If anyone reading controls a CT log which could accept their volume, > even for payment, please contact StartCom/WoSign and let Mozilla know > you have done so. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy