So how about this: A proper certificate is one that... - contains the data as provided by the requester that the requester intended to use; - contains the data as provided by the issuer that the issuer intended to use; - contains data that has been properly verified by the issuer, to the extent that the data is verifiable in the first place; - uses data that is recognized as legitimate for a certificate's intended use, per the relevant standards, specifications, recommendations, and policies, as well as the software products that are likely to utilize the certificate; - is suitably constructed in accordance with the relevant standards, specifications, recommendations, and policies, as appropriate; and - is produced by equipment and systems whose integrity is assured by the issuer and verified by the auditors. Thus, failing one or more of the above conditions will constitute a mis-issuance situation.
On Thursday, June 1, 2017 at 8:03:33 AM UTC-5, Gervase Markham wrote: > > My point is not that we are entirely indifferent to such problems, but > that perhaps the category of "mis-issuance" is the wrong one for such > errors. I guess it depends what we mean by "mis-issuance" - which is the > entire point of this discussion! > > So, if mis-issuance means there is some sort of security problem, then > my original definition still seems like a good one to me. If > mis-issuance means any problem where the certificate is not as it should > be, then we need a wider definition. > It was in that spirit that I raised the questions that I did. I wonder if the pedant can use these arguments to call any certificate "mis-issued" under the proposed definition. If so, I wonder if we should care if such a tortured argument might be made. > I wonder whether we need a new word for certificates which are bogus for > a non-security-related reason. "Mis-constructed"? > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy