Closed Bug 1912120 Opened 2 months ago Closed 2 months ago

implement updated certificate transparency policy

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
131 Branch
Tracking Flags:
Tracking Status
firefox131 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1912120 - implement updated certificate transparency policy r?jschanck
48 bytes, text/x-phabricator-request
Details | Review

When certificate transparency was initially being implemented in Firefox, we hadn't decided on a policy of how many/from what sources/logs SCTs would be required to verify a certificate. In the intervening time, other browser implementations have converged on roughly equivalent policies that don't require SCTs from a particular log operator (which was a point of concern for Mozilla at the time). We can now adopt a policy that is compatible with other browsers.

For reference, this is Chrome's policy: https://googlechrome.github.io/CertificateTransparency/ct_policy.html
And this is Apple's policy: https://support.apple.com/en-us/103214

This updates the certificate transparency policy based on Chrome's policy,
found at https://googlechrome.github.io/CertificateTransparency/ct_policy.html.
Both it and the Chrome policy are similar to the Apple policy, found at
https://support.apple.com/en-us/103214.

Essentially, the policy can be satisfied in two ways, depending on the source
of the collected SCTs.
For embedded SCTs, at least one must be from a log that was Admissible
(Qualified, Usable, or ReadOnly) at the time of the check. There must be SCTs
from N distinct logs that were Admissible or Retired at the time of the check,
where N depends on the lifetime of the certificate. If the certificate lifetime
is less than or equal to 180 days, N is 2. Otherwise, N is 3. Among these SCTs,
at least two must be issued from distinct log operators.
For SCTs delivered via the TLS handshake or an OCSP response, at least two must
be from a log that was Admissible at the time of the check. Among these SCTs,
at least two must be issued from distinct log operators.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eff1daea0fac implement updated certificate transparency policy r=jschanck

https://hg.mozilla.org/mozilla-central/rev/eff1daea0fac

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox131: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: