On Wed, May 10, 2017 at 2:06 PM, mono.riot--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > > The next step, if Symantec wish to continue to use their current PKI in > the future, should be logging (ASAP) *all* of the certificates they issued > to a CT log, then we'll know how deep is the rabbit hole. > > already the case since '15 > > https://security.googleblog.com/2015/10/sustaining- > digital-certificate-security.html The blog post is dated October 15, but the requirement* only came into effect June 1st, 2016 > although I'm not certain if this applied only to certs issued under the > Symantec brand. Any certs issued by any Symantec CA, regardless of brand, unless the CA is operated by a 3rd party under its own, separate, audit. Andrew *required for the cert to be trusted in Chrome. They are still free to issue certs that don't comply with the Chrome CT Policy, but those will cause an interstitial warning in Chrome. _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
