On 02/01/2019 22:40, Wayne Thayer via dev-security-policy wrote: <snip> > Yes, the idea is that CT could remove the need to enforce intermediate > disclosures via policy.
Hi Wayne. That seems at odds with (my understanding of) the purpose of the disclosure requirement. The relevant phrase in the Mozilla Root Store Policy is "publicly disclosed and audited". The CCADB captures audit information, whereas CT logs do not. How would Mozilla check that a CT-logged intermediate is covered by an appropriate audit, if the CA is no longer required to disclose that information to the CCADB? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy