219
edits
SecurityEngineering/Certificate Transparency: Difference between revisions
Jump to navigation
Jump to search
SecurityEngineering/Certificate Transparency (view source)
Revision as of 17:00, 25 June 2025
, 25 JuneAdd info about the prefix being unnecessary.
m (add note that CT is enabled in release 135 on desktop →Certificate Transparency Support in Firefox) |
(Add info about the prefix being unnecessary.) |
||
| Line 9: | Line 9: | ||
The preference ''security.pki.certificate_transparency.disable_for_hosts'' can be used to disable enforcing CT for specific hosts. To do so, specify any number of entries separated by commas. Each entry of the form '''example.com''' will disable CT for '''example.com''' and all subdomains of that domain. Entries of the form '''.example.com''' will disable CT for '''example.com''' only. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForUrls CertificateTransparencyEnforcementDisabledForUrls]. | The preference ''security.pki.certificate_transparency.disable_for_hosts'' can be used to disable enforcing CT for specific hosts. To do so, specify any number of entries separated by commas. Each entry of the form '''example.com''' will disable CT for '''example.com''' and all subdomains of that domain. Entries of the form '''.example.com''' will disable CT for '''example.com''' only. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForUrls CertificateTransparencyEnforcementDisabledForUrls]. | ||
The preference ''security.pki.certificate_transparency.disable_for_spki_hashes'' can be used to disable enforcing CT for certificate chains where one of the certificates in the chain has a matching subject public key info. To do so, specify any number of entries separated by commas. Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForCas]. | The preference ''security.pki.certificate_transparency.disable_for_spki_hashes'' can be used to disable enforcing CT for certificate chains where one of the certificates in the chain has a matching subject public key info. To do so, specify any number of entries separated by commas. Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForCas], but the ''sha256/'' prefix is not included. | ||
Both of these preferences can be set via [https://mozilla.github.io/policy-templates/#preferences policy]. | Both of these preferences can be set via [https://mozilla.github.io/policy-templates/#preferences policy]. | ||