Hi Gerv, One idea that occurred to me (maybe novel, though I doubt it), is requiring mandatory _timely_ CT submission for intermediates/cross signatures. That is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be less than some period, perhaps 3 days. This would ensure rapid visibility into important changes to the WebPKI.
Alex On Mon, May 1, 2017 at 10:16 AM, Gervase Markham via dev-security-policy < email@example.com> wrote: > Here is my analysis and proposal for what actions the Mozilla CA > Certificates module owner should take in respect of Symantec. > > https://docs.google.com/document/d/1RhDcwbMeqgE2Cb5e6xaPq- > lUPmatQZwx3Sn2NPz9jF8/edit# > > Please discuss the document here in mozilla.dev.security.policy. A good > timeframe for discussion would be one week; we would aim to finalise the > plan and pass it to the module owner for a decision next Monday, 8th > May. Note that Kathleen is not around until Wednesday, and may choose to > read rather than comment here. It is not a given that she will agree > with me, or the final form of the proposal :-) > > Gerv > _______________________________________________ > dev-security-policy mailing list > firstname.lastname@example.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy