mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 06:43:32 +00:00
49686e9766
This updates the certificate transparency policy based on Chrome's policy, found at https://googlechrome.github.io/CertificateTransparency/ct_policy.html. Both it and the Chrome policy are similar to the Apple policy, found at https://support.apple.com/en-us/103214. Essentially, the policy can be satisfied in two ways, depending on the source of the collected SCTs. For embedded SCTs, at least one must be from a log that was Admissible (Qualified, Usable, or ReadOnly) at the time of the check. There must be SCTs from N distinct logs that were Admissible or Retired at the time of the check, where N depends on the lifetime of the certificate. If the certificate lifetime is less than or equal to 180 days, N is 2. Otherwise, N is 3. Among these SCTs, at least two must be issued from distinct log operators. For SCTs delivered via the TLS handshake or an OCSP response, at least two must be from a log that was Admissible at the time of the check. Among these SCTs, at least two must be issued from distinct log operators. Differential Revision: https://phabricator.services.mozilla.com/D218800 |
||
|---|---|---|
| .. | ||
| tests/gtest | ||
| CertVerifier.cpp | ||
| CertVerifier.h | ||
| CRLiteTimestamp.h | ||
| ExtendedValidation.cpp | ||
| ExtendedValidation.h | ||
| metrics.yaml | ||
| moz.build | ||
| NSSCertDBTrustDomain.cpp | ||
| NSSCertDBTrustDomain.h | ||
| OCSPCache.cpp | ||
| OCSPCache.h | ||
| TrustOverride-AppleGoogleDigiCertData.inc | ||
| TrustOverride-SymantecData.inc | ||
| TrustOverrideUtils.h | ||