On Thu, Jun 1, 2017 at 5:49 AM, Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Thu, Jun 1, 2017 at 4:35 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 31/05/17 18:02, Matthew Hardeman wrote: >> > Perhaps some reference to technologically incorrect syntax (i.e. an >> incorrectly encoded certificate) being a mis-issuance? >> >> Well, if it's so badly encoded Firefox doesn't recognise it, we don't >> care too much (apart from how it speaks to incompetence). If Firefox >> does recognise it, then I'm not sure "misissuance" is the right word if >> all the data is correct. >> > > I would encourage you to reconsider this, or perhaps I've misunderstood > your position. To the extent that Mozilla's mission includes "The > effectiveness of the Internet as a public resource depends upon > interoperability (protocols, data formats, content) ....", the > well-formedness and encoding directly affects Mozilla users (sites working > in Vendors A, B, C but not Mozilla) and the broader ecosystem (sites > Mozilla users are protected from that vendors A, B, C are not). > > I think considering this in the context of "CA problematic practices" may > help make this clearer - they are all things that speak to either > incompetence or confusion (and a generous dose of Hanlon's Razor) - but > their compatibility issues presented both complexity and risk to Mozilla > users. > > So I would definitely encourage that improper application of the protocols > and data formats constitutes misissuance, as they directly affect > interoperability and indirectly affect security :)
I think the policy needs to be carefully thought out here, as there is no limitation to what can be signed with the key used to sign certificates. What is a malformed certificate to one person might be a valid document to someone else. Maybe you could disallow signing things that are not valid ASN.1 DER? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy