> Could you clarify how this applies to custom CAs?

For CAs that are not part of Mozilla's Root CA program (in other words, CAs
that are not built-ins shipped with Firefox), no certificate transparency
information is required (in other words, for your custom CA, no action
should be needed).
The use of policies to exempt internal certificates or domains applies to
situations where a publicly-trusted CA was used to issue certificates for
domains that are intended to be internal to an organization.

On Tue, Feb 4, 2025 at 1:16 PM Jan Schaumann <jscha...@netmeister.org>
wrote:

> "'Dana Keeler' via dev-security-policy@mozilla.org" <
> dev-security-policy@mozilla.org> wrote:
>
> > Certificate Transparency is now enforced on all desktop platforms.
>
> This is great news!
>
> Could you clarify how this applies to custom CAs?  The
> language in your email could, I believe, be
> interpreted in different ways:
>
> > This means that Firefox now requires that TLS web
> > server certificates issued from roots in Mozilla's
> > Root CA program
>
> This part suggests to me that this _only_ applies to
> the CAs in the root program as shipped by Mozilla.
> I.e., if I add my custom CA, certs issued by that will
> _not_ be subject to this requirement.
>
> > However, if you were making use of policies to
> > exempt certain internal certificates or domains from
> > CT, you will need to apply those policies to Firefox
> > as well.
>
> But this statement suggests that for my custom CA I
> _do_ need to take action.
>
> Sorry if this is obvious to everybody else, but if you
> could clarify, that'd be much appreciated.
>
> Thanks!
> -Jan
>

-- 
You received this message because you are subscribed to the Google Groups 
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAHP1u2hkkE%3DAJObu0nhQVJuzMk33BXEvCGytHf3-me6XLXfZvQ%40mail.gmail.com.
  • Certificate Transp... 'Dana Keeler' via dev-security-policy@mozilla.org
    • Re: Certifica... 'Bas Westerbaan' via dev-security-policy@mozilla.org
    • Re: Certifica... 'Matthew McPherrin' via dev-security-policy@mozilla.org
      • Re: Certi... 'Dana Keeler' via dev-security-policy@mozilla.org
    • Re: Certifica... 'Jan Schaumann' via dev-security-policy@mozilla.org
      • Re: Certi... 'Dana Keeler' via dev-security-policy@mozilla.org
        • Re: C... 'Jan Schaumann' via dev-security-policy@mozilla.org
          • R... Jeremy Rowley
            • ... 'Dana Keeler' via dev-security-policy@mozilla.org
            • ... Pierre Barre

Reply via email to