On 05/16/2017 03:50 AM, Michael Casadevall wrote:
> On 05/15/2017 06:05 PM, Jakob Bohm wrote:
>  - A three-day grace period shall be in place from the issuance date of
> a certificate to when it must be in the CT logs for validation reasons
> (this is in line with other proposals here).
>  - All server authentication certificates shall be submitted to at least
> two public CT logs.

Just realized I had a brainfart when writing this. Don't believe I can
supersede on this list to fix it so sorry for the chatter.

This should say that certificates must be issued with an embedded SCT
which Symantec can get from their own log, and then upload the
certificate to other logs as part of the issuance.

As part of the CT validation, there would be a three day grace period
from the issuance date, to when the certificate can start failing due to
CT failure which should leave a nice bit of padding for the maximum
merge delay on the current public logs.
dev-security-policy mailing list

Reply via email to