On 01/05/17 18:33, Alex Gaynor wrote:
> One idea that occurred to me (maybe novel, though I doubt it), is requiring
> mandatory _timely_ CT submission for intermediates/cross signatures. That
> is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
> less than some period, perhaps 3 days. This would ensure rapid visibility
> into important changes to the WebPKI.

Interesting idea. Thanks for suggesting it :-) So something like:

Any certificate issued in Symantec's publicly-trusted hierarchies with
the cA boolean set to TRUE in basicConstraints must be submitted to two
public CT logs within 3 days of issuance.


dev-security-policy mailing list

Reply via email to