Is this going to be an issue that needs discussion soon? https://scotthelme.co.uk/a-new-security-header-expect-ct/
While I understand it doesn’t have anything to do with Let’s Encrypt directly I think there should be some guidance or discussion about the requirement for this website header, since Google is threatening some dastardly deed if it is not present after October 2017. Thoughts anyone?
Hi @mushu,
I think you’ve misinterpreted this. Google is threatening to stop trusting certificates that can’t prove that they’ve been logged in a CT log. Let’s Encrypt is already working on complying with this requirement (we already log all of our certificates in a CT log, but we’re working on providing the inclusion proofs that Google will require). We expect to complete this on time and there is nothing that users will have to do in order to be compliant.
Google is not proposing to require sites to send this header. Instead, this header can be used by sites that want to opt into some kind of CT enforcement.
Ahhh, thanks for the clarification. I was worried that I’d have to set up yet another server header. While not a big deal, it’s just one more thing to deal with…sigh.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.