在 2016年10月25日星期二 UTC+8上午8:45:26,Ryan Sleevi写道: > [Note: This is cross-posted. The best venue for follow-up questions is the > public mailing list at ct-pol...@chromium.org or the post at > https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ > ] > [Note: Posting wearing my Chrome hat. None of this reflects Mozilla policy, > but is useful for the Mozilla community to be aware of] > > This past week at the 39th meeting of the CA/Browser Forum, the Chrome team > announced plans that publicly trusted website certificates issued in October > 2017 or later will be expected to comply with Chrome’s Certificate > Transparency policy in order to be trusted by Chrome. > > The Chrome Team believes that the Certificate Transparency ecosystem has > advanced sufficiently that October 2017 is an achievable and realistic goal > for this requirement. > > This is a significant step forward in the online trust ecosystem. The > investments made by CAs adopting CT, and Chrome requiring it in some cases, > have already paid tremendous dividends in providing a more secure and > trustworthy Internet. The use of Certificate Transparency has profoundly > altered how browsers, site owners, and relying parties are able to detect and > respond to misissuance, and importantly, gives new tools to mitigate the > damage caused when a CA no longer complies with community expectations and > browser programs. > > While the benefits of CT are clear, we recognize that some CAs, browsers, or > site operators may have use cases they feel are not fully addressed by > Certificate Transparency, and so may have concerns over the October 2017 > date. We encourage anyone who feels this way to bring their concerns to the > IETF’s Public Notary Transparency WG (TRANS) so that these use cases can be > discussed and cataloged. The information for this WG, and the documents it > works on, is available at https://datatracker.ietf.org/wg/trans/charter/. > > Although the date is a year away, we encourage any participants that wish to > have their use cases addressed to bring them forward as soon as possible > during the next three months. This will ensure that the IETF, the CA/Browser > Forum, and the broader community at large have ample time to discuss the > challenges that may be faced, and find appropriate solutions for them. Such > solutions may be though technical changes via the IETF or via policy means > such as through the CA/Browser Forum or individual browsers’ root program > requirements. > > We will continue outreach to CAs in trust stores used by Chrome to ensure > that they are prepared and that there is minimal user disruption. > > To further support these investments in Certificate Transparency, the Chrome > team will be discussing a proposed new HTTP header at next month’s IETF > meeting that would allow sites to opt-in to having CT requirements enforced > in advance of this deadline. > > Similarly, we welcome and encourage all CAs to voluntarily request that > browsers enforce CT logging of their new certificates before this deadline. > Doing so enhances CT's ability to protect users, detect misissuance, and in > the unfortunate event that misissuance does occur, to confirm the scope of > misissuance. This may allow browsers to take more targeted steps to remediate > the problem than otherwise possible, thus minimizing any negative impact to > their users.
Is there any timetable for enforcing CAs to support embedded CT or OCSP CT? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy