I'll speak up for transparency again. In terms of policy the most vital thing is that a CA tells us about such certs during application. One way to do that would be to CT log them, but especially for small sets there might be other sensible ways. If we can't be shown the certs in question (or much worse the CA didn't keep records) it's tough to be sure the risk is tolerable, we're back to taking the CA's word for it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
BR compliance of legacy certs at root inclusion time
Nick Lamb via dev-security-policy Fri, 18 Aug 2017 09:10:31 -0700
- Re: BR compliance of legacy ... Ryan Sleevi via dev-security-policy
- Re: BR compliance of le... Peter Bowen via dev-security-policy
- Re: BR compliance o... Ryan Sleevi via dev-security-policy
- Re: BR compliance of legacy ... Kristian Fiskerstrand via dev-security-policy
- Re: BR compliance of legacy ... Peter Kurrasch via dev-security-policy
- Re: BR compliance of legacy ... Gervase Markham via dev-security-policy
- Re: BR compliance of le... Ryan Sleevi via dev-security-policy
- Re: BR compliance of le... Peter Kurrasch via dev-security-policy
- Re: BR compliance of le... Nick Lamb via dev-security-policy
- Re: BR compliance of le... Gervase Markham via dev-security-policy
- BR compliance of legacy cert... Nick Lamb via dev-security-policy
