Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Certificate Transparency
96 views
Skip to first unread message
Mike Kaply
Dec 19, 2024, 10:06:04 AM12/19/24
to Mozilla.org
The security engineering team at Mozilla has been working to enforce certificate transparency in Firefox. As part of this work, we wanted to reach out to enterprise contacts to notify them of this work and to ask that they test that internal domains that use certificates issued by CAs in the public web PKI work with prerelease versions of Firefox to ensure there are no compatibility issues. Certificate transparency is enabled by default starting in Firefox Nightly version 133 and Firefox Beta version 134. We are tentatively planning to roll out certificate transparency in Firefox 135, which releases February 4th, 2025.
We do not anticipate any issues, due to the close alignment of Firefox with Chrome's certificate transparency implementation. However, those who make use of the Chrome enterprise policies CertificateTransparencyEnforcementDisabledForUrls or CertificateTransparencyEnforcementDisabledForCas will need to use Firefox's policy mechanism to set the preferences security.pki.certificate_transparency.disable_for_hosts or security.pki.certificate_transparency.disable_for_spki_hashes, as appropriate. To disable certificate transparency entirely, set security.pki.certificate_transparency.mode to 0.
For more information, see https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency.
We do not anticipate any issues, due to the close alignment of Firefox with Chrome's certificate transparency implementation. However, those who make use of the Chrome enterprise policies CertificateTransparencyEnforcementDisabledForUrls or CertificateTransparencyEnforcementDisabledForCas will need to use Firefox's policy mechanism to set the preferences security.pki.certificate_transparency.disable_for_hosts or security.pki.certificate_transparency.disable_for_spki_hashes, as appropriate. To disable certificate transparency entirely, set security.pki.certificate_transparency.mode to 0.
For more information, see https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency.
Mike
-- Mike Kaply
Technical Partner Lead
Mozilla Corporation
Andrei Boros
Dec 23, 2024, 9:28:56 AM12/23/24
to enter...@mozilla.org
With CT, does the use of self-signed certificates or signed by
non-public CAs within the enterprise's internal network require in
future versions of Firefox to set such preferences on all involved
workstations?
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/CAHueOzDu%2BGSKMwWReh2x6hXFVt0ndedpS2Qg0hMF%3D8k_D975ow%40mail.gmail.com.
--
ing. Andrei Boros
Serviciul IT&C
Radio Romania
Tel: +40-21-303-1870
+40-745-115721
Email: and...@srr.ro
Mike Kaply
Dec 31, 2024, 11:39:06 AM12/31/24
to Andrei Boros, enter...@mozilla.org
From the security team:
CT won't affect self-signed certificates or certificates issued by CAs that aren't publicly trusted
Mike
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/6daed4de-a366-7aa2-cefd-ad6b1d5e4708%40srr.ro.
Reply all
Reply to author
Forward
0 new messages