On Thu, Jun 1, 2017 at 4:35 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 31/05/17 18:02, Matthew Hardeman wrote: > > Perhaps some reference to technologically incorrect syntax (i.e. an > incorrectly encoded certificate) being a mis-issuance? > > Well, if it's so badly encoded Firefox doesn't recognise it, we don't > care too much (apart from how it speaks to incompetence). If Firefox > does recognise it, then I'm not sure "misissuance" is the right word if > all the data is correct. > I would encourage you to reconsider this, or perhaps I've misunderstood your position. To the extent that Mozilla's mission includes "The effectiveness of the Internet as a public resource depends upon interoperability (protocols, data formats, content) ....", the well-formedness and encoding directly affects Mozilla users (sites working in Vendors A, B, C but not Mozilla) and the broader ecosystem (sites Mozilla users are protected from that vendors A, B, C are not). I think considering this in the context of "CA problematic practices" may help make this clearer - they are all things that speak to either incompetence or confusion (and a generous dose of Hanlon's Razor) - but their compatibility issues presented both complexity and risk to Mozilla users. So I would definitely encourage that improper application of the protocols and data formats constitutes misissuance, as they directly affect interoperability and indirectly affect security :) > > > How far does "those containing information which was not properly > validated" go? Does that leave the opportunity for someone's tortured > construction of the rule to suggest that a certificate that everyone agrees > is NOT mis-issued is in fact technically mis-issued? > > Certs containing data which is not properly validated, which > nevertheless happens by chance to be correct, are still mis-issued, > because they are BR-non-compliant. It may be hard to detect this case, > but I think it should be in the definition. A CA has a positive duty to > validate/revalidate all data within the timescales established. > Wholeheartedly agree. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy