On Tue, Apr 11, 2017 at 6:31 AM, Gervase Markham <g...@mozilla.org> wrote:
> Hi Ryan, > > On 10/04/17 17:03, Ryan Sleevi wrote: > > 2) You stated that "browsers didn't process certificate policy extensions > > content during path building". This fails to clarify whether you believe > it > > was a Baseline Requirements violation, which makes no such statements > > regarding policy building. Further, no such browser has, except for EV, > > made use of any policy IDs beyond path building. > > Can you clarify: are you asking if Steve believes that the BRs require > _browsers_ to do such processing of certificate policy extensions? > No. I'm asking if Symantec, through Steve, is intending to sound like a Scooby Doo villain <https://www.youtube.com/watch?v=hXUqwuzcGeU>, or whether it's merely accidental that this reads as "I would have gotten away with it, if not for you meddling browsers" More specifically, Symantec has failed to respond as to whether or not they agree with the facts presented and, if so, whether or not this represents a Baseline Requirements violation, as suggested. The reply could be read as suggesting "This was meaningfully technically controlled, it is simply that browsers failed to enforce that." This is problematic on multiple fronts, least of all because policy mapping and IDs have never been a meaningful form of technical control in the Web PKI, and so I'm hoping for further elaboration on the statement to ensure it is it not misinterpreted. > Or if he believes that cross-certifying into a hierarchy which relies > upon such extensions is a BR violation? > This. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy