在 2016年10月25日星期二 UTC+8下午11:39:31,Nick Lamb写道: > On Tuesday, 25 October 2016 15:45:26 UTC+1, Han Yuwei wrote: > > Is there any timetable for enforcing CAs to support embedded CT or OCSP CT? > > Well, the effect of Google's policy is that if you're a subscriber looking to > obtain certificates a year from now you have three options > > 1. Don't care about Chrome (though of course this policy may spread to other > browsers). That option might be attractive if your certificates are from the > Web PKI but aren't usually examined by browsers. For example in a mail > server, or in some financial applications. Otherwise it looks like a bad > choice. > > 2. Arrange to implement the TLS SCT extension from your servers and obtain > SCTs for yourself to pass on to browsers. This does not require any new > effort from the CA. This would meet Chrome's requirement entirely and is very > flexible, but can mean significant disruption or even the need for new > software development. Most customers again will see this as an undesirable > choice. > > 3. Choose a CA that can deliver SCTs with your certificates or maybe via OCSP > and in the latter case ensure your server software is compatible with that. > > I expect option (3) to be overwhelmingly popular, so that Google need do > little or nothing in the way of "enforcing" this support. Indeed all the big > public CAs either already have, or are known to be developing this capability. > > > Obviously Google needs to communicate this clearly to subscribers, and to a > lesser extent to Chrome users. I think a simple announcement ought to be > enough at this stage for CAs themselves, if you're operating a public CA in > 2016 and don't know what Certificate Transparency is you're in the wrong > business. But for the other two groups effective communication is important > over the next 12-24 months. In the ideal world the CAs would take on some of > the burden of informing their subscribers, but I think the SHA-1 experience > shows that's not always a very reliable path.
First, I care about CT and I desperately want CT depolyment. I have tried to implement TLS SCT extension to my nginx but failed and I dont't why. Because I deployed OCSP stapling successfully so I want a embedded CT (best for everyone) or a OCSP response CT. So I am willing that CA could do more because they have much more resources than us. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy