Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

Sat, 05 Nov 2016 06:23:14 -0700 

This looks like a very accurate representation of the data protection European 
regulations. I have the same view. 

Not so easy to implement but if it is implemented correctly, I think very few 
people will disagree with the essence of this regulation. 

Dimitris. 

--
Sent from my mobile device. Pls excuse brevity and typos

> On 5 Nov 2016, at 11:50, Nick Lamb <tialara...@gmail.com> wrote:
> 
>> On Friday, 4 November 2016 19:37:07 UTC, Jeremy Rowley  wrote:
>> We also like the public disclosures CT requires as its been essential in 
>> identifying issuing CAs and non-compliances.  That's probably not a surprise 
>> as we've always strongly supported CT. I do see the need for name redaction 
>> though as lots of the certificates are issued to individuals, and the 
>> European government freaks out whenever there is the potential disclosure of 
>> PII.
> 
> Unlike with DNS names / IP addresses in the Web PKI, I could still be 
> persuaded that redacting personal information about individual human 
> subscribers would make sense.
> 
> Nevertheless I think it's valuable to understand that European regulations in 
> this area ("Data Protection" is the usual English term) are not intended to 
> altogether prohibit the disclosure of PII. The regulations are instead 
> focused on ensuring that subjects know what is held about them, that they're 
> told how it will be used and why, that the data used is adequate yet not 
> excessive for that purpose, and that they can get any mistakes fixed.
> 
> So Data Protection could permit unredacted CT logging if it served some 
> legitimate purpose, particularly one that's in the subject's best interest 
> such as deterring identity fraud or protecting the integrity of the 
> certificate ecosystem they're using, and if subscribers were told about this 
> before they request the certificate.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to