Confirmed users
308
edits
SecurityEngineering/Certificate Transparency: Difference between revisions
Jump to navigation
Jump to search
m
SecurityEngineering/Certificate Transparency (view source)
Revision as of 17:02, 25 June 2025
, 25 June→Enterprise Policies: tweak format of previous edit
(Add info about the prefix being unnecessary.) |
m (→Enterprise Policies: tweak format of previous edit) |
||
| Line 9: | Line 9: | ||
The preference ''security.pki.certificate_transparency.disable_for_hosts'' can be used to disable enforcing CT for specific hosts. To do so, specify any number of entries separated by commas. Each entry of the form '''example.com''' will disable CT for '''example.com''' and all subdomains of that domain. Entries of the form '''.example.com''' will disable CT for '''example.com''' only. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForUrls CertificateTransparencyEnforcementDisabledForUrls]. | The preference ''security.pki.certificate_transparency.disable_for_hosts'' can be used to disable enforcing CT for specific hosts. To do so, specify any number of entries separated by commas. Each entry of the form '''example.com''' will disable CT for '''example.com''' and all subdomains of that domain. Entries of the form '''.example.com''' will disable CT for '''example.com''' only. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForUrls CertificateTransparencyEnforcementDisabledForUrls]. | ||
The preference ''security.pki.certificate_transparency.disable_for_spki_hashes'' can be used to disable enforcing CT for certificate chains where one of the certificates in the chain has a matching subject public key info. To do so, specify any number of entries separated by commas. Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForCas], but the ''sha256/'' prefix is not included. | The preference ''security.pki.certificate_transparency.disable_for_spki_hashes'' can be used to disable enforcing CT for certificate chains where one of the certificates in the chain has a matching subject public key info. To do so, specify any number of entries separated by commas. Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForCas], but the '''sha256/''' prefix is not included. | ||
Both of these preferences can be set via [https://mozilla.github.io/policy-templates/#preferences policy]. | Both of these preferences can be set via [https://mozilla.github.io/policy-templates/#preferences policy]. | ||