On 05/16/2017 03:50 AM, Michael Casadevall wrote: > On 05/15/2017 06:05 PM, Jakob Bohm wrote: >> > > - A three-day grace period shall be in place from the issuance date of > a certificate to when it must be in the CT logs for validation reasons > (this is in line with other proposals here). > > - All server authentication certificates shall be submitted to at least > two public CT logs. >
Just realized I had a brainfart when writing this. Don't believe I can supersede on this list to fix it so sorry for the chatter. This should say that certificates must be issued with an embedded SCT which Symantec can get from their own log, and then upload the certificate to other logs as part of the issuance. As part of the CT validation, there would be a three day grace period from the issuance date, to when the certificate can start failing due to CT failure which should leave a nice bit of padding for the maximum merge delay on the current public logs. Michael _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy