Closed Bug 1349941 Opened 7 years ago Closed 6 years ago

Support Expect-CT for Opting-in to Certificate Transparency

Categories

(Core :: Security: PSM, enhancement, P2)

enhancement

Tracking

()

RESOLVED WONTFIX

People

(Reporter: jcj, Unassigned)

References

()

Details

(Keywords: dev-doc-needed)

There's a draft of an HTTP header "Expect-CT" [1] to provide site operators a mechanism to opt-in to providing Certificate Transparency information, with a debugging mechanism for instances where that information isn't provided.

Since this was first put together, Chrome announced they would require CT for all certificates, which is going to push this forward without really needing Expect-CT to provide a graceful transition, so this might be well moot. However, we might still consider implementation of this to provide site operators the reporting mechanism for debugging.

(Note, as-of-now, there's no new draft [1] but there are some additional security considerations written at [2].)

[1] https://datatracker.ietf.org/doc/draft-stark-expect-ct/
[2] https://github.com/bifurcation/expect-ct/blob/master/draft-stark-expect-ct.md
Docs got started here: https://developer.mozilla.org/docs/Web/HTTP/Headers/Expect-CT
This is now in Chrome 61 and Opera 48 enabled by default per https://www.chromestatus.com/features/5677171733430272
Keywords: dev-doc-needed
Chromium will require CT for certs issued after 30 April 2018. [1]
What would be the benefit of this optional header when CT is required anyway in (some) browsers?

[1] https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ
(In reply to sjw from comment #3)
> Chromium will require CT for certs issued after 30 April 2018. [1]
> What would be the benefit of this optional header when CT is required anyway
> in (some) browsers?

Indeed; minimal, if any.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
The benefit is that it protects against someone issuing a fraudulent certificate and a) targetting only Firefox (and other non-CT enforcing browsers with it), b) backdating it to (for the next few years) evade Chrome's requirement.
You need to log in before you can comment on or make changes to this bug.