--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com.
I agree. Unfortunately, an extension of this period essentially slows down the agility of the CT ecosystem. I hope the implementers of this work sync with the Chrome and Apple teams to understand the reasons behind some of their implementation behaviors so they can be taken into consideration. For example, I believe both turn off CT enforcement after some time due to past issues. Regardless, I am happy to finally see this work proceed and wish the Mozilla team success in this journey.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bUr9Zn45X4QzBzO1u%2B-_qxUrJ-XLB79DYNHM1TNN9yCQ%40mail.gmail.com.
If I understand correctly from Bug 1921525, CT enforcement just landed in Firefox Nightly. Congratulations, Mozilla team! I have questions though...
Am I correct that Firefox Nightly is currently using this hard-coded log list, meaning that log list changes will be tied to browser releases?
Does Mozilla have a CT Log Policy yet?
Chrome is working towards allowing static-ct-api logs in addition to RFC6962 logs. Does Mozilla plan to do the same?
I agree. Unfortunately, an extension of this period essentially slows down the agility of the CT ecosystem. I hope the implementers of this work sync with the Chrome and Apple teams to understand the reasons behind some of their implementation behaviors so they can be taken into consideration. For example, I believe both turn off CT enforcement after some time due to past issues. Regardless, I am happy to finally see this work proceed and wish the Mozilla team success in this journey.
On Wed, Oct 16, 2024 at 10:22 AM 'Matthew McPherrin' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:It appears that Firefox has a 12-week time-gate on enforcement:This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues, assuming CAs are looking at Apple and Google's "Usable" state only. I think in practice logs are "usable" well in advance of their submission windows, so this may cause a tricky-to-diagnose edge case for Firefox users that only happens rarely.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwbmxGTVJJVciThB5d25sGP62hOTVAmjcRU3rpWGcH7Bcg%40mail.gmail.com.
This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues
Yes, one would hope that we wouldn't negatively impact the agility of the ecosystem. I'm sure we can find a way to rectify this misalignment.