CT is coming to Firefox. As part of that, Mozilla needs to have a set of CT policies surrounding how that will work. Like our root inclusion program, we intend to run our CT log inclusion program in an open and transparent fashion, such that the Internet community can see how it works and how decisions are made. (It is quite possible that, like our root program, other entities without the resources to run their own programs might adopt our decisions.)
This policy will need to consider at least the following questions. The point of this posting is to gather more _questions_, not to work out the answers. In other words, I am trying to work out the scope of the policy, not what the policy will be. So, please add comments with additional _questions_ you think the policy will need to address. What the answers should be is (for now) off-topic. Questions I have so far: * How do we decide which logs to trust? * Do we have requirements for uptime? * Do we have requirements for certs accepted? * Do we have requirements for the MMD? * How do we decide when to un-trust a log? What reasons are valid reasons for doing so? * Do we want to put monitoring in place to ensure our log quality or uptime requirements are met? * Are there any CT-related services Mozilla should consider running or supporting, for the good of the ecosystem? * Do we want to require a certain number of SCTs for certificates of particular validity periods? * Do we want the Google/non-Google diversity requirement? Or any other diversity reqirement? * Which certs, if any, should we require CT for, and when? * Do we want to allow some CAs to opt into CT before those dates? * Do we want to require some CAs to do CT before those dates? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
