Re: Sanctions short of distrust

Fri, 23 Sep 2016 06:04:05 -0700 

On 23/09/2016 12:51, Peter Gutmann wrote:

Jakob Bohm <jb-mozi...@wisemo.com> writes:


While you are at it:

1. How many WoSign/StartCom certificates did you find with domains not
  on that IANA list?

2. How many WoSign/StartCom certificates did you find for other uses
  than https://www.example.tld:

2.1 Certificates for "odd" subdomains such as "extranet.example.com"

2.2 Certificates for e-mail

2.3 Code signing certificates

2.4 Others?


Note that if you ding WoSign for this you'd also need to indict half the
commercial CAs on the planet for issuing certs to non-qualified domains,
RFC 1918 addresses, duplicate names, you name it...

Peter.



That wasn't my point.

My point was that the categories I listed probably contains lots of
in-use valid and correctly issued certificates that would need to be
included in any white-listing mechanism.

Thus the size of any "trust table" or "trust name tree" etc. would need
to include space to preserve the validity of those certificates too,
especially for the cases where the relevant mechanism is used in
something other than Firefox and Chrome.  For example Mozilla
Thunderbird uses the Mozilla root CA list and related NSS code to check
mail server TLS certificates and e-mail signature/encryption
certificates.  Non-mozilla projects such as the Debian Linux
distribution uses the Mozilla root CA list as the main source of its
list of certificates for *all purposes*, not just TLS and e-mail.

I am aware of at least one non-Mozilla Browser which still uses NSS
code and the Mozilla root CA list for code signing certificates.
Releases of that browser itself are signed with valid StartCom OV code
signing certificates.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to