Yeah - that makes sense. I agree with you that it should be a violation. There’s a difference between not intending to include CT and including CT incorrectly.
On Fri, Dec 12, 2025 at 10:26 AM Andrew Ayer <[email protected]> wrote: > On Fri, 12 Dec 2025 09:31:44 -0700 > Jeremy Rowley <[email protected]> wrote: > > > Is this a problem though? > > > > I'm not sure any browser requires CT logging. The MS policy almost > > did but was changed before it became effective. > > > > Apple's policy is close but the stated consequence is: "Certificates > > that fail to comply with our policy will result in a failed TLS > > connection, which can break an app's connection to Internet services > > or Safari's ability to seamlessly connect." This is just fine for > > WebPKI that doesn't care about Apple connections. > > > > CT isn't required in the Chrome policy. > > > > Mozilla policy doesn't state that CT logging is required > > I never said that this was a BR / root store policy violation. > > But that doesn't mean it's not a problem. The affected CAs clearly weren't > intending to issue unlogged certificates that don't need to work in > browsers, as every affected certificate has SCTs. When the subscriber > receives the certificate and finds it doesn't work in all browsers, that's > presumably going to be a problem for them. < > https://status.globalsign.com/incidents/49ndl5hz24h2> and Alvin's reply > confirm that this has been causing subscriber impact. So, I thought CAs > would want to know about it, and I think not all CAs are subscribed to > ct-policy. > > I also think that maybe it *should* be a root store policy violation if a > certificate has an SCT extension but doesn't comply with CT policy. Root > stores have an interest in avoiding breakage when they make changes. > Unfortunately, without incident reports being required, there's no way to > be sure the root cause is being addressed so that changes will be safer in > the future. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS_yvp2NFeFLKzrSjjrLcUY-OQ7xsccVqL9%2BLTrNBFoZMw%40mail.gmail.com.
