On 19 October 2016 at 02:58, Kurt Roeckx <k...@roeckx.be> wrote: > On 2016-10-19 01:37, Rob Stradling wrote: >> >> On 18/10/16 23:49, Gervase Markham wrote: >>> >>> On 18/10/16 15:42, Ryan Hurst wrote: >>>> >>>> I do not understand the desire to require StartCom / WoSign to not >>>> utilize their own logs as part of the associated quorum policy. >>> >>> >>> My original logic was that it could be seen that the log owner is >>> trustworthy. However, you are right that CT does not require this. >> >> >> A log operator could offer a split view of their log, and this might go >> undetected. That's why we need CT gossip to exist. > > > I at least have some concerns about the current gossip draft and talked a > little to dkg about this. I should probably bring this up on the trans list.
Please do! For those not aware, the CT Gossip draft is in 'pre-final review' in the sense that (we think) we're pretty much done but need people to finally read it now. Draft is at: https://datatracker.ietf.org/doc/draft-ietf-trans-gossip/ Because we're talking about a CA which used their private keys to get around baseline requirements/prohibitions by backdating, I would not be comfortable trusting them with operating a log where they could do the same thing. The addition of the Google log prevents this to some degree. So I would prefer the requirement either be 'one google and one non-google/non-self-operated log' or just 'one google log'. -tom _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy