On 01/05/17 18:33, Alex Gaynor via dev-security-policy wrote:
Hi Gerv,

One idea that occurred to me (maybe novel, though I doubt it), is requiring
mandatory _timely_ CT submission for intermediates/cross signatures. That
is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
less than some period, perhaps 3 days. This would ensure rapid visibility
into important changes to the WebPKI.

Hi Alex. Mandatory timely CCADB submission is already planned (for the next version of the Mozilla Root Store Policy, I presume):


I keep an eye on https://crt.sh/mozilla-disclosures#unknown (which shows intermediates known to CCADB but not yet known to CT/crt.sh). When an intermediate appears in that list, I'll grab the PEM data from CCADB, paste it onto https://crt.sh/gen-add-chain, and then submit it to some CT logs. However, it would be great if the CAs would do this themselves. :-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

dev-security-policy mailing list

Reply via email to