On Fri, 12 Dec 2025 09:31:44 -0700 Jeremy Rowley <[email protected]> wrote:
> Is this a problem though? > > I'm not sure any browser requires CT logging. The MS policy almost > did but was changed before it became effective. > > Apple's policy is close but the stated consequence is: "Certificates > that fail to comply with our policy will result in a failed TLS > connection, which can break an app's connection to Internet services > or Safari's ability to seamlessly connect." This is just fine for > WebPKI that doesn't care about Apple connections. > > CT isn't required in the Chrome policy. > > Mozilla policy doesn't state that CT logging is required I never said that this was a BR / root store policy violation. But that doesn't mean it's not a problem. The affected CAs clearly weren't intending to issue unlogged certificates that don't need to work in browsers, as every affected certificate has SCTs. When the subscriber receives the certificate and finds it doesn't work in all browsers, that's presumably going to be a problem for them. <https://status.globalsign.com/incidents/49ndl5hz24h2> and Alvin's reply confirm that this has been causing subscriber impact. So, I thought CAs would want to know about it, and I think not all CAs are subscribed to ct-policy. I also think that maybe it *should* be a root store policy violation if a certificate has an SCT extension but doesn't comply with CT policy. Root stores have an interest in avoiding breakage when they make changes. Unfortunately, without incident reports being required, there's no way to be sure the root cause is being addressed so that changes will be safer in the future. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20251212122617.3155fa43ed3049ffaa81a28a%40andrewayer.name.
