W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: CT-Policy (was: Comments on draft-stark-expect-ct-00)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 24 Nov 2016 14:42:26 +1100
Message-ID: <CABkgnnWhMz0pf7P55Drp1w3vVgY2w90kTPmOzQ-He1CJnnWUJQ@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: Emily Stark <estark@google.com>, IETF HTTP WG <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>
On 24 November 2016 at 13:33, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
>> Do you think it would be reasonable to reference the Chromium +
>> Mozilla CT policies but not define a particular policy in a normative
>> way?
> yep :)

If HSTS is our benchmark, and that benchmark is so nebulous then it's
a bad one.  The objection that ekr raised was fair: how do I know what
baseline I have to reach in order to avoid the footgun.

Maybe there are weasel words that can be used to allow browsers to
choose their own logs.  But can we at least write down the basics: the
certificate is logged, the TLS handshake includes an SCT, etc...
Surely the current set of policies indicates a common set of
principles that can be written into a specification.

If we're well outside 6962 territory and into policy land, at least
proscribe what falls into policy.  Reading the Mozilla policy, it
seems like number and choice of logs might be the only places where
variation is possible.
Received on Thursday, 24 November 2016 03:42:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 24 November 2016 03:43:03 UTC