On Monday, July 24, 2017 at 2:49:20 AM UTC-5, Gervase Markham wrote: > On 20/07/17 21:31, Ryan Sleevi wrote: > > Broadly, yes, but there's unfortunately a shade of IP issues that make it > > more difficult to contribute as directly as Gerv proposed. Gerv may accept > > any changes to the Mozilla side, but if the goal is to modify the Baseline > > Requirements, you'd need to sign the IPR policy of the CA/B Forum and join > > as an Interested Party before changes. > > I'm on holiday at the moment but, as Ryan says, this particular part of > what CAs do is the part most subject to IPR restrictions and so work on > it is probably best done in a CAB Forum context rather than a more > informal process. > > I will attempt to respond to your messages in more depth when I return.
Hi, Gerv, I'm certainly willing and able to execute an IPR agreement in my own right and/or on behalf of my company. My concern is that I would like to have a more fully fleshed out proposal to bring to the forum. I have a strong understanding of the network and interconnection environment as pertains the issue of IP hijacking, etc, but significantly less understanding of the infrastructure side of the CA and so I feel rather limited in being able to structure mitigations which are practical for CAs to deploy. In short I can point out the weak spots and the potential consequences of the weak spots, and I can recommend mechanisms for reducing the risk, but I feel I could much better recommend specific solutions and frameworks for addressing the risks if I had a better understanding of typical CA interaction with the outside network as well as a firmer understanding of the various trust boundaries across the various CA elements. Thanks, Matt Hardeman _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
