Updated Mozilla CT Log Policy

[Ben Wilson]

All,

We recently updated our Certificate Transparency policy documentation to clarify our CT Log Policy.  You can view the full content at: https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency.

Under our existing Mozilla CT Policy: certificates ≤180-day validity require 2 SCTs from distinct log operators; certificates >180-day validity require 3 SCTs, at least one from an Admissible log at verification; and SCTs via TLS handshake or OCSP must include 2 SCTs from distinct Admissible logs.

With this update we clarify that Mozilla recognizes CT logs listed in Chromium’s log_list.json (https://googlechrome.github.io/CertificateTransparency/log_lists.html) that are marked qualified, usable, readonly, or retired.  Per https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#CT_Log_Policy, log operators should apply through Google’s CT log program. Admissible logs MUST include all NSS roots that have the websites trust bit enabled, and log operators MUST maintain reliable uptime, timely merging, and compliance with CT operational requirements. Mozilla may independently assess or disqualify any log if needed to protect its users.

These updates clarify Mozilla’s requirements for CT log operators and, with the existing CT policy, will ensure continued alignment with other browsers.

Thanks,

Ben Wilson

Mozilla Root Program Manager