Updated Mozilla CT Log Policy

342 views
Skip to first unread message

Ben Wilson

unread,
Oct 22, 2025, 1:50:48 PM10/22/25
to dev-secur...@mozilla.org
All,

We recently updated our Certificate Transparency policy documentation to clarify our CT Log Policy.  You can view the full content at: https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency.

Under our existing Mozilla CT Policy: certificates ≤180-day validity require 2 SCTs from distinct log operators; certificates >180-day validity require 3 SCTs, at least one from an Admissible log at verification; and SCTs via TLS handshake or OCSP must include 2 SCTs from distinct Admissible logs.

With this update we clarify that Mozilla recognizes CT logs listed in Chromium’s log_list.json (https://googlechrome.github.io/CertificateTransparency/log_lists.html) that are marked qualified, usable, readonly, or retired.  Per https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#CT_Log_Policy, log operators should apply through Google’s CT log program. Admissible logs MUST include all NSS roots that have the websites trust bit enabled, and log operators MUST maintain reliable uptime, timely merging, and compliance with CT operational requirements. Mozilla may independently assess or disqualify any log if needed to protect its users.

These updates clarify Mozilla’s requirements for CT log operators and, with the existing CT policy, will ensure continued alignment with other browsers.

Thanks,
Ben Wilson
Mozilla Root Program Manager

Suchan Seo

unread,
Feb 5, 2026, 7:41:22 PM (6 days ago) Feb 5
to dev-secur...@mozilla.org, Ben Wilson
as Chrome changed their policy to stop providing log list to 3rd party CT verifier without their explicit permission, and current Mozilla policy is in effect "we're just using their list", did Mozilla approched to Chrome team to get permission to use list?
2025년 10월 23일 목요일 AM 2시 50분 48초 UTC+9에 Ben Wilson님이 작성:

David Adrian

unread,
Feb 5, 2026, 8:06:41 PM (5 days ago) Feb 5
to Suchan Seo, dev-secur...@mozilla.org, Ben Wilson
Yes.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f10b1589-6671-4fff-8603-590cf4a02fb6n%40mozilla.org.

Joe DeBlasio

unread,
Feb 5, 2026, 8:07:28 PM (5 days ago) Feb 5
to Suchan Seo, dev-secur...@mozilla.org, Ben Wilson
Yes, Mozilla did ask for, and get, Google's permission to use Chrome's lists as the basis for CT enforcement in Mozilla products. Our (Google's) primary concern in restricting access is ensuring that those using Chrome's list do so in a way that is compatible with the health of other CT-enforcing user agents (like Chrome) and the CT ecosystem broadly, and we have confidence that Mozilla is doing that. 

Joe, from Chrome's CT team

--
Reply all
Reply to author
Forward
0 new messages