On Wednesday, January 10, 2018 at 6:17:34 PM UTC-6, Ryan Sleevi wrote: > On Wed, Jan 10, 2018 at 5:53 PM, Matthew Hardeman <mharde...@gmail.com> > wrote: > > > > That, indeed, is a chilling picture. I'd like to think the community's > > response to any such stretch of the rules would be along the lines of "Of > > course, you're entirely correct. Technically this was permitted. Oh, by > > the way, we're pulling your roots, we've decided you're too clever to be > > trusted." > > > > GlobalSign proposed this as a new method - > https://cabforum.org/pipermail/validation/2017-May/000553.html > Amazon pointed out that .10 already permitted this - > https://cabforum.org/pipermail/validation/2017-May/000557.html > > Your reaction means you must be one of the "worrywarts who treat > certificate owners like criminals" though, in the words of Steve Medin of > Symantec/Digicert - > https://cabforum.org/pipermail/validation/2017-May/000554.html , who was > also excited because of the 'brand stickiness' it would create (the term > typically used to refer to the likelihood or difficulty for someone to > switch to another, potentially more competent CA - in this case, due to the > ease of the lower security)
Wow. The economic incentives for behaving badly clearly were at work in those. I think I am one of those worrywarts, in fact. Also, I just reread and contemplated the .10 method's definition. It's lacking. A legitimate definition of "on the authorization domain name" would have clarified a normative reference for what accessing that over TLS means and likely would have included that the SNI needed to be the authorization domain name. As such, it's really just a tenuous land-grab that TLS-SNI-01 is compliant with .10. One of these days I need to sign the IPR waiver and join the cabforum mailing list as an interested party. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
