I agree. Unfortunately, an extension of this period essentially slows down the agility of the CT ecosystem. I hope the implementers of this work sync with the Chrome and Apple teams to understand the reasons behind some of their implementation behaviors so they can be taken into consideration. For example, I believe both turn off CT enforcement after some time due to past issues. Regardless, I am happy to finally see this work proceed and wish the Mozilla team success in this journey.
On Wed, Oct 16, 2024 at 10:22 AM 'Matthew McPherrin' via [email protected] <[email protected]> wrote: > It appears that Firefox has a 12-week time-gate on enforcement: > > > https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/certverifier/CertVerifier.cpp#L241 > > https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/security/ct/CTKnownLogs.h#L17 > > https://github.com/mozilla/gecko-dev/blob/a9b60625c56e90a215553fbad2ad75f7af4fbc29/taskcluster/docker/periodic-updates/scripts/getCTKnownLogs.py#L228-L230 > > This is two weeks longer than Chrome's 70 day enforcement gate, which > seems like it could potentially cause issues, assuming CAs are looking at > Apple and Google's "Usable" state only. I think in practice logs are > "usable" well in advance of their submission windows, so this may cause a > tricky-to-diagnose edge case for Firefox users that only happens rarely. > > > > On Wed, Oct 16, 2024 at 6:27 AM 'Rob Stradling' via > [email protected] <[email protected]> wrote: > >> If I understand correctly from Bug 1921525 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1921525>, CT enforcement >> just landed in Firefox Nightly. Congratulations, Mozilla team! I have >> questions though... >> >> Am I correct that Firefox Nightly is currently using this hard-coded log >> list >> <https://github.com/mozilla/gecko-dev/blob/master/security/ct/CTKnownLogs.h>, >> meaning that log list changes will be tied to browser releases? >> If so, may I ask if Mozilla plans to implement a dedicated log list >> update mechanism, perhaps based on a JSON feed as both Chrome >> <https://www.gstatic.com/ct/log_list/v3/log_list.json> and Apple >> <https://valid.apple.com/ct/log_list/current_log_list.json> have done? >> >> Does Mozilla have a CT Policy yet? This wiki page >> <https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency> from >> 2015 is the only documentation I could find. >> >> Does Mozilla have a CT Log Policy yet? >> >> Chrome is working towards >> <https://groups.google.com/a/chromium.org/g/ct-policy/c/W7OSO3SbrFo/m/S2XyhXx_AAAJ> >> allowing >> static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do >> the same? >> >> -- >> Rob Stradling >> Distinguished Engineer >> Sectigo Limited >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwbmxGTVJJVciThB5d25sGP62hOTVAmjcRU3rpWGcH7Bcg%40mail.gmail.com.
