21
edits
CA/CT Redaction: Difference between revisions
Jump to navigation
Jump to search
→Response: While a concern was raised about the policies, it did not capture that the specific reason for Chrome's deployment delay was the engagement by Amazon with concrete proposals for additional policy flexibility that minimized risk
(→Response: Add note about the problems of already discovered CA misissuances and why sublabels are important) |
(→Response: While a concern was raised about the policies, it did not capture that the specific reason for Chrome's deployment delay was the engagement by Amazon with concrete proposals for additional policy flexibility that minimized risk) |
||
| Line 11: | Line 11: | ||
===== Response ===== | ===== Response ===== | ||
In Chrome at least, which is currently the only browser that checks CT, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots. | In Chrome at least, which is currently the only browser that checks CT, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots. In addition to the existing policies that allow whitelisting per-domain, Chrome has announced it will allow some limited flexibility for whitelisting by keys, to support organizations with managed CAs for a set of domains. This was part of why Chrome deferred from requiring CT to April 2017. | ||
=== Concealing Network Topography === | === Concealing Network Topography === | ||