Congratulations! As a CT log operator, do I need to begin submitting my new logs to Firefox, or will you take logs from the other programs? As a CA, do you have a list of supported logs that we can validate against?
Thanks, Matthew McPherrin Let's Encrypt SRE On Tuesday, February 4, 2025 at 2:54:28 PM UTC-5 Dana Keeler wrote: > Hi folks, > > Certificate Transparency is an important part of the web PKI that enables > the detection of misissued certificates. Starting in Firefox 135, > Certificate Transparency is now enforced on all desktop platforms. This > means that Firefox now requires that TLS web server certificates issued > from roots in Mozilla's Root CA program be accompanied by sufficient > Certificate Transparency information (essentially, 2 SCTs) in order for TLS > connections to succeed. Otherwise, Firefox will show the error " > MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY". > > In practice, this should require no particular changes on the part of > website operators. If your site works in Chrome and Safari, it should work > in Firefox as well. However, if you were making use of policies to exempt > certain internal certificates or domains from CT, you will need to apply > those policies to Firefox as well. See > https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies > > If you encounter any issues, please let us know or file a bug directly: > https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM > > Thank you, > Dana > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/65ea633c-55f8-4e17-a4d5-d1b91306e173n%40mozilla.org.
