On Thu, May 11, 2017 at 11:57 AM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Ryan, > > I think you've correctly highlighted that there's a problem -- the Mozilla > CA store is "designed" to be consumed from NSS, and CA-specific > remediations are a part of that (hash algorithms, maximum certificate > lifetimes, and any number of other important technical controls). > > Unfortunately, we're currently in a position where near as I can tell, most > code (except Go code :P) making HTTPS requests are using a Mozilla-derived > CA store, and OpenSSL's verifier, which only provides a subset of the > technical controls browsers implement. This is unfortunate, particular > because these clients also do not check CT, so it's entirely possible to > serve them certs which are not publicly visible. In a large sense, browsers > currently act as canaries-in-the-coalmine, protecting non-browser clients. > > Like Cory, I help maintain non-browser TLS clients. To that end, I think > it'd be outstanding if as a community we could find a way to get more of > these technical controls into non-browser clients -- some of this is just > things we need to do (e.g. add hash algorithm and lifetime checking to > OpenSSL or all consumers of it), Yes :) There's a significant amount that needs to happen in the third-party verifiers to understand and appreciate the risk of certain behaviours ;) > other's need coordination with Mozilla's > root program, and I think Cory's proposal highlights one way of making that > happen. Right, but these already flow into the NSS trust store - when appropriate. I'm sure you can understand when a piece of logic is _not_ implemented in NSS (e.g. because it's not generic beyond the case of browsers), that it seems weird to put it in/expose it in NSS :) To be clear: I'm not trying to suggest it's an entirely unreasonable request, merely an explanation of the constraints around it and why the current approach is employed that tries to balance what's right for Mozilla users and the overall NSS using community :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
