All, I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy.
Certificate Transparency's idempotency is for not dependent on the practices of the operator. By requiring the use of a third-party log (in this case Google's) and requiring that the logs are public, CT "works" as expected. There appears to be an argument being made that this restriction comes from the fact that Firefox does not yet have CT support, I would argue that this is not material. My justification for this argument is that today, Firefox depends on SafeBrowsing, this is a Google-provided service and Firefox uses it to protect users from malicious sites. This is not significantly different from the way Chrome (and others) rely on the wonderful Mozilla Trusted Root Program. Based on this it seems reasonable to allow them to use the same logs they use for EV. Ryan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
