On 16/11/2016 02:13, Nick Lamb wrote:
On Tuesday, 15 November 2016 09:35:17 UTC, Jakob Bohm wrote:
The HTTPS-everywhere tendency, including the plans of some people to
completely remove unencrypted HTTP from implementations, makes it
necessary for non-public stuff connected to the Internet to get
Internet-compatible TLS certificates.
That happens to be the same as the WebPKI
No. You mistake a convenience for a necessity. It is certainly _convenient_ if
everything in the world trusts your claim of identity without any action but
it's not _necessary_ that it must be so. If you want this convenience, you must
pay us the courtesy of being open and honest. If you would rather not, too bad
we don't trust you. Let me be more specific: I don't trust you.
You are confusing everything with something.
What is typically wanted when requesting non-public/redacted WebPKI
certificates is that the certificate is trusted by those devices that
are used by authorized visitors but which don't allow installing
corporate CA roots to their trust stores.
There is also the case where the authorized user has a limited trust
relationship (e.g. a paying customer or a paid supplier) such that they
would not install an unrestricted corporate CA certificate capable of
signing certificates outside the certificate holder's domain(s).
Redacted CT records that tell the world that "there is this single
certificate with this full TBS hash and these technical extensions
issued to some name domain/e-mail under example.com, but it is not
public which specific name/e-mail address" would fulfill all the truly
needed openness without giving away the specific contact point where
the subject holder can be harassed or attacked.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
