On 2017-05-02 12:55, Gervase Markham wrote:
On 01/05/17 18:33, Alex Gaynor wrote:
One idea that occurred to me (maybe novel, though I doubt it), is requiring
mandatory _timely_ CT submission for intermediates/cross signatures. That
is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
less than some period, perhaps 3 days. This would ensure rapid visibility
into important changes to the WebPKI.

Interesting idea. Thanks for suggesting it :-) So something like:

Any certificate issued in Symantec's publicly-trusted hierarchies with
the cA boolean set to TRUE in basicConstraints must be submitted to two
public CT logs within 3 days of issuance.

I assume that would include all there certificates including those not chaining to one in the Mozilla root store because they are for instance only used for code signing? I guess we don't care about those that only chain to a root that has been removed?


Kurt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to