I do not understand the desire to require StartCom / WoSign to not utilize 
their own logs as part of the associated quorum policy. 

Certificate Transparency's idempotency is for not dependent on the practices of 
the operator. By requiring the use of a third-party log (in this case Google's) 
and requiring that the logs are public,  CT "works" as expected.

There appears to be an argument being made that this restriction comes from the 
fact that Firefox does not yet have CT support, I would argue that this is not 
material. My justification for this argument is that today, Firefox depends on 
SafeBrowsing, this is a Google-provided service and Firefox uses it to protect 
users from malicious sites.

This is not significantly different from the way Chrome (and others) rely on 
the wonderful Mozilla Trusted Root Program.

Based on this it seems reasonable to allow them to use the same logs they use 
for EV.

dev-security-policy mailing list

Reply via email to