SecurityEngineering/Certificate Transparency: Difference between revisions

Mozilla does not maintain a separate log application process. We recognize CT logs that appear in the Chromium log_list.json list, located at https://googlechrome.github.io/CertificateTransparency/log_lists.html. CT logs included in that list that are marked '''qualified''', '''usable''', '''readonly''', or '''retired''' are considered usable by Mozilla as described above. Log operators seeking inclusion or updates to their logs should apply through Google’s CT log program. For all '''Qualified''' and '''Usable''' logs, the operator MUST include in the Accepted Roots list all Root Certificates in NSS that have the websites trust bit enabled at the time the log is created or accepted for inclusion. Log operators are expected to update their Accepted Roots list within a reasonable time after new NSS roots are added, so that logs accept submissions from all root CAs that have the websites trust bit enabled, with Mozilla allowing some flexibility to accommodate operational constraints provided the operator notifies Mozilla, documents the rationale and impact, and commits to a timeline for updating its Accepted Roots list. All log operators MUST maintain reliable availability, timely merging of submitted certificates, and ongoing compliance with all relevant CT operational requirements. Mozilla reserves the right to independently assess or disqualify any log to protect its users.