On 12/01/2016 16:49, Phillip Hallam-Baker wrote:
It really isn't a good idea for Mozilla to try to mitigate the
security concerns of people living in a police state. The cost of
doing so is you will set precedents that others demand be respected.
Yes providing crypto with a hole in it will be better than no crypto
at all for the people who don't have access to full strength crypto.
But if you go that route only crypto with a hole will be available.
No one (except the MiTM CA itself, possibly) is suggesting that Mozilla
include or authorize any MiTM CA to work in its browsers (or anything
else using the Mozilla CA list).
The discussion is how to *not* authorize it, without thereby causing too
much collateral damage.
Questions being seriously discussed:
- Should Mozilla add specific mechanisms that prevent the subjects of a
police state from obeying police orders to compromise their own
browser? This is the most hotly debated topic in this thread.
- Should Mozilla find a mechanism to allow only the non-MiTM part of a
dual use CA which is being used both as an MiTM CA and as the
legitimate CA for accessing government services, such as transit visa
applications by foreign travelers planning to cross the territory of
the police state on their way somewhere else?
- How to most easily reject requests by the MiTM CAs to become
globally trusted CAs in the Mozilla CA store. Without causing
precedents that would hurt legitimate CAs from countries that happen
not to be allies of the USA. So far, the best suggestion (other than
to stall them on technicalities) is to find an interpretation of the
existing CA rules which cannot be satisfied by any MiTM CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
