On Fri, Aug 11, 2017 at 03:02:11AM -0700,
edmond...@gmail.com wrote:
> What can we do if we fail to find any non-google CT log server reply us
> with SCT either all CT log servers down or have been DQ?
You can issue without embedding SCTs, it'll just mean the server presenting
the certificate will have to acquire and present additional SCTs (via
stapled OCSP response or TLS extension) in order for the certificate to be
trusted.
> Will google consider to review their policy if the number of non-google CT
> log servers is less after Apr 2018?
CT logs are just another resource your business relies on. Just like you do
an analysis of failure rates of servers, HSMs, facilities, and personnel,
and pay for excess to ensure sufficient redundancy, you should do the same
thing for CT logs. If you believe you need access to additional CT logs to
ensure reliability, you should do the needful to ensure they are available
to you -- whether that's stand up one or more CT logs of your own, or
contract with a third party on a commercial basis.
- Matt