On Tuesday, 25 October 2016 15:45:26 UTC+1, Han Yuwei wrote: > Is there any timetable for enforcing CAs to support embedded CT or OCSP CT?
Well, the effect of Google's policy is that if you're a subscriber looking to obtain certificates a year from now you have three options 1. Don't care about Chrome (though of course this policy may spread to other browsers). That option might be attractive if your certificates are from the Web PKI but aren't usually examined by browsers. For example in a mail server, or in some financial applications. Otherwise it looks like a bad choice. 2. Arrange to implement the TLS SCT extension from your servers and obtain SCTs for yourself to pass on to browsers. This does not require any new effort from the CA. This would meet Chrome's requirement entirely and is very flexible, but can mean significant disruption or even the need for new software development. Most customers again will see this as an undesirable choice. 3. Choose a CA that can deliver SCTs with your certificates or maybe via OCSP and in the latter case ensure your server software is compatible with that. I expect option (3) to be overwhelmingly popular, so that Google need do little or nothing in the way of "enforcing" this support. Indeed all the big public CAs either already have, or are known to be developing this capability. Obviously Google needs to communicate this clearly to subscribers, and to a lesser extent to Chrome users. I think a simple announcement ought to be enough at this stage for CAs themselves, if you're operating a public CA in 2016 and don't know what Certificate Transparency is you're in the wrong business. But for the other two groups effective communication is important over the next 12-24 months. In the ideal world the CAs would take on some of the burden of informing their subscribers, but I think the SHA-1 experience shows that's not always a very reliable path. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
