On 01/05/17 18:33, Alex Gaynor via dev-security-policy wrote:
Hi Gerv,

One idea that occurred to me (maybe novel, though I doubt it), is requiring
mandatory _timely_ CT submission for intermediates/cross signatures. That
is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
less than some period, perhaps 3 days. This would ensure rapid visibility
into important changes to the WebPKI.

Hi Alex. Mandatory timely CCADB submission is already planned (for the next version of the Mozilla Root Store Policy, I presume):

https://github.com/mozilla/pkipolicy/commit/b7d1b6c04458114fbe73fa3f146ad401235c2a1b

I keep an eye on https://crt.sh/mozilla-disclosures#unknown (which shows intermediates known to CCADB but not yet known to CT/crt.sh). When an intermediate appears in that list, I'll grab the PEM data from CCADB, paste it onto https://crt.sh/gen-add-chain, and then submit it to some CT logs. However, it would be great if the CAs would do this themselves. :-)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to