On 14/10/16 15:46, Gervase Markham wrote: > I think the rule we are putting in place is that: "StartCom/WoSign > SHOULD NOT fulfil the non-Google log requirement by using logs that they > run themselves. For as long as they do so, they will need to demonstrate > ongoing evidence of efforts to get other logs to take their volume, and > why those efforts have not been successful."
I should add that if StartCom/WoSign have a CT log codebase capable of taking the volume necessary, they could always open source it, and then pay a 3rd party to run an instance of it, with an arms-length contract. That sort of solution may well be acceptable, depending on contract details. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
