On 20/05/17 15:26, Michael Casadevall wrote: > However, for Mozilla's purposes, is there a case where having a SCT in > certificate would either break something, or otherwise be undesirable?
I believe we turned the checking on and discovered performance issues, so we turned it off. I'm not sure if those have since been solved. JC? > Well, at least with the current state of webpki, mandating an embedded > SCT is probably not practical for everyone. I actually forgot about the > OCSP stapling mechanism for SCTs, though my concern here is not everyone > turns on OCSP stapling. Since both OCSP CT stapling and embedded SCTs > require that the cert be submitting to a log at issuance, That's not so. OCSP CT stapling doesn't require the cert be submitted to a log at issuance. You only need to do it at some point before you start using it. The same is true of the SSL handshake method. > - By default, Symantec shall issue certificates with embedded SCTs > (soft-fail for failure to validate SCT information) Given that Chrome is requiring CT for all Symantec certificates, one could argue there's minimal value in Mozilla coming up with its own CT-related requirements, particularly as Mozilla has not (yet?) deployed SCT checking in Firefox. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
