On Oct 19, 2016 11:51 AM, "Ryan Hurst" <[email protected]> wrote: > > > Because we're talking about a CA which used their private keys to get > > around baseline requirements/prohibitions by backdating, I would not > > be comfortable trusting them with operating a log where they could do > > the same thing. The addition of the Google log prevents this to some > > degree. So I would prefer the requirement either be 'one google and > > one non-google/non-self-operated log' or just 'one google log'. > > > > -tom > > Since you would be OK with one google log, it seems it would be harmless for them to log to their log also. As such treating them consistently as the Google EV policy (one google, one other) seems acceptable. >
It would be harmless, but if the only option for them to get to two logs is to run their own, I don't see the point in requiring them to if we're not going to really regard it as trusted. (Which at least I wouldn't. I'd regard it as "A log I expect to be manipulated as soon as it is financially expedient to do so.") Unless we're proverbially doing it to give them more rope to hang themselves with, so they get punished worse if they manipulate their log like their CA issuance. But I'm not keen on that idea since we're retroactively finding them putting users at risk, and this would be even moreso. -tom _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
