On Mon, Nov 14, 2016 at 11:46:28AM +0000, Gervase Markham wrote: > CT is getting to be very useful as a way of surveying the certificate > ecosystem. This is helpful to assess the impact of proposed policy > changes or positions, e.g. "how many certs don't have an EKU", or "how > many certs use a certain type of crypto". If certs under TCSCs are > exempt and this becomes popular, CT would become less useful for that. > > One possible answer is just to say: "Mozilla will not accept 'but we > have a lot of certs under TCSCs which will be affected by this' as a > valid reason not to do something. In other words, if you hide stuff and > it breaks, you get to keep both pieces. But in practice, such a line > might not hold. > > Thoughts and suggestions?
I don't think TCSCs should be exempted from any CT requirements; as you say, there is significant value in having a near-complete picture of the state of the WebPKI. There is extensive evidence that a browser's position that "if your private stuff breaks, sucks to be you" will *not* stick in the face of post-change breakage, regardless of how much notice certificate holders and their issuers are given. Only by knowing what is going on in the WebPKI can browsers have any hope of not inadvertantly causing problems. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
