On Thu, May 11, 2017 at 1:03 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi Cory, > > On 11/05/17 15:21, Cory Benfield wrote: > > While I’m very supportive of this kind of remediation, it is not a > remediation that non-browser implementations can follow very easily. > > Unfortunately, this is not a good enough reason to remove graduate trust > proposals from our arsenal of possible remedies for issues. Because if > the choice is only "trust everything" or "do not trust anything" from a > particular root, we have no mitigations for the Too Big To Fail problem. > I don't think Cory's arguing against browsers making use of these types of remediations, he just wants the non-browser clients to be able to participate as well :-) > > > If Mozilla is interested in doing a substantial public service, this > situation could be improved by having Mozilla and MDSP define a static > configuration format that expresses the graduated trust rules as data, not > code. > > The trouble with this is that the vocabulary of such a format is almost > unbounded. It effectively has to be code, rather than data, because we > could in the future make any number of rules about certificates based on > any number of criteria. > > So we decided to use English instead, which is why this exists: > https://wiki.mozilla.org/CA/Additional_Trust_Changes > > Gerv > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy