It is true, that without gossip, CT is dependent on browsers monitoring the log 
ecosystem, this is one reason why in the Chrome policy the one Google log is 

I would argue, with the monitoring Google does and the one Google log policy 
that this risk is mitigated sufficiently, even without gossip.

Gossip is needed, as is Firefox's own implementation of CT verification, which 
is actively in the works, but given the above mitigations I still believe this 
extra requirement is not necessary.

dev-security-policy mailing list

Reply via email to