在 2016年10月19日星期三 UTC+8上午6:42:18,Ryan Hurst写道:
> All,
> 
> I do not understand the desire to require StartCom / WoSign to not utilize 
> their own logs as part of the associated quorum policy. 
> 
> Certificate Transparency's idempotency is for not dependent on the practices 
> of the operator. By requiring the use of a third-party log (in this case 
> Google's) and requiring that the logs are public,  CT "works" as expected.
> 
> There appears to be an argument being made that this restriction comes from 
> the fact that Firefox does not yet have CT support, I would argue that this 
> is not material. My justification for this argument is that today, Firefox 
> depends on SafeBrowsing, this is a Google-provided service and Firefox uses 
> it to protect users from malicious sites.
> 
> This is not significantly different from the way Chrome (and others) rely on 
> the wonderful Mozilla Trusted Root Program.
> 
> Based on this it seems reasonable to allow them to use the same logs they use 
> for EV.
> 
> Ryan

Could you explain what "idempotency" means? Because I am not a native English 
speaker and I can't lookup a good meaning about this word.

For the StartCom/Wosign's log, I think maybe Mozilla's logic is that they are 
not trustworthy when ther are appling CAs, so their CT logs can't be 
trusted.But I don't think that's right because there's a Google log also 
monitoring this.What I am interested in is why some CT log operator rejected 
the including request from StartCom. Performance is not persuading reason.

For the CT support, is there any plan to implement it into effect in Firefox? 
And if implemented, what would happen if server's certificate don't have enough 
SCTs?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to