All, We recently updated our Certificate Transparency policy documentation to clarify our CT Log Policy. You can view the full content at: https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency.
Under our existing Mozilla CT Policy <https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#CT_Policy>: certificates ≤180-day validity require 2 SCTs from distinct log operators; certificates >180-day validity require 3 SCTs, at least one from an *Admissible* log at verification; and SCTs via TLS handshake or OCSP must include 2 SCTs from distinct *Admissible* logs. With this update we clarify that Mozilla recognizes CT logs listed in Chromium’s log_list.json ( https://googlechrome.github.io/CertificateTransparency/log_lists.html) that are marked *qualified*, *usable*, *readonly*, or *retired*. Per https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#CT_Log_Policy, log operators should apply through Google’s CT log program. Admissible logs MUST include all NSS roots that have the websites trust bit enabled, and log operators MUST maintain reliable uptime, timely merging, and compliance with CT operational requirements. Mozilla may independently assess or disqualify any log if needed to protect its users. These updates clarify Mozilla’s requirements for CT log operators and, with the existing CT policy, will ensure continued alignment with other browsers. Thanks, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYGRvbtK5ZuPKU_3MN%3DqgAzfbAjDvfHOeUL8qRk4W9WZQ%40mail.gmail.com.
