So how about this:

A proper certificate is one that...

- contains the data as provided by the requester that the requester intended to use;

- contains the data as provided by the issuer that the issuer intended to use;

- contains data that has been properly verified by the issuer, to the extent that the data is verifiable in the first place;

- uses data that is recognized as legitimate for a certificate's intended use, per the relevant standards, specifications, recommendations, ‎and policies, as well as the software products that are likely to utilize the certificate;

- is suitably constructed in accordance with the relevant standards, specifications, recommendations, and policies, as appropriate; and

- is produced by equipment and systems whose integrity is assured by the issuer and verified by ‎the auditors.

Thus, failing one or more of the above conditions will constitute a mis-issuance situation.


From: Matthew Hardeman via dev-security-policy
Sent: Thursday, June 1, 2017 1:35 PM‎

On Thursday, June 1, 2017 at 8:03:33 AM UTC-5, Gervase Markham wrote:

>
> My point is not that we are entirely indifferent to such problems, but
> that perhaps the category of "mis-issuance" is the wrong one for such
> errors. I guess it depends what we mean by "mis-issuance" - which is the
> entire point of this discussion!
>
> So, if mis-issuance means there is some sort of security problem, then
> my original definition still seems like a good one to me. If
> mis-issuance means any problem where the certificate is not as it should
> be, then we need a wider definition.
>

It was in that spirit that I raised the questions that I did.‎

 I wonder if the pedant can use these arguments to call any certificate "mis-issued" under the proposed definition. If so, I wonder if we should care if such a tortured argument might be made.

> I wonder whether we need a new word for certificates which are bogus for
> a non-security-related reason. "Mis-constructed"?
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to