> Because we're talking about a CA which used their private keys to get > around baseline requirements/prohibitions by backdating, I would not > be comfortable trusting them with operating a log where they could do > the same thing. The addition of the Google log prevents this to some > degree. So I would prefer the requirement either be 'one google and > one non-google/non-self-operated log' or just 'one google log'. > > -tom
Since you would be OK with one google log, it seems it would be harmless for them to log to their log also. As such treating them consistently as the Google EV policy (one google, one other) seems acceptable. Ryan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
