- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 24 Nov 2016 14:42:26 +1100
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: Emily Stark <estark@google.com>, IETF HTTP WG <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>
On 24 November 2016 at 13:33, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: >> Do you think it would be reasonable to reference the Chromium + >> Mozilla CT policies but not define a particular policy in a normative >> way? > > > yep :) If HSTS is our benchmark, and that benchmark is so nebulous then it's a bad one. The objection that ekr raised was fair: how do I know what baseline I have to reach in order to avoid the footgun. Maybe there are weasel words that can be used to allow browsers to choose their own logs. But can we at least write down the basics: the certificate is logged, the TLS handshake includes an SCT, etc... Surely the current set of policies indicates a common set of principles that can be written into a specification. If we're well outside 6962 territory and into policy land, at least proscribe what falls into policy. Reading the Mozilla policy, it seems like number and choice of logs might be the only places where variation is possible.
Received on Thursday, 24 November 2016 03:42:58 UTC