On Fri, Jan 19, 2018 at 3:58 PM Doug Beattie <doug.beat...@globalsign.com> wrote:
> Matthew, > > > > That’s a good summary. It seems we have 2 methods that can be used only > if the CAs using the methods have the design and risk mitigation factors > reviewed and approved. It’s basically the old “any other method”, except > before you can use it, the Root programs must review the > design/implementation and can approve/reject them on a case by case basis. > Is that where we are with these methods – Not approved unless disclosed and > reviewed? > I think it’s a large leap to go from a potentially vulnerable/underspecified method to “any other”. It seems you’re ignoring that .6 and .8 share the same specificity (or lack thereof), or that GlobalSign is apparently opposed to the removal of .5 and .1, which very much are insecure in all forms. I suspect if we are looking to improve security, removing .1 and .5 will go much further, and much less risk. > Given this discussion, there must be no other CAs using method 9 or 10, > else they would have come forward by now with disclosures and have > demonstrated their compliance.. Maybe we need to post this on the CABF > public list? > > > > Based on this, do we need a ballot to remove them from the BRs, or put in > a statement in them to the effect that they can be used only if approved by > Google on this list? I’m not picking on Ryan, but he’s the only root > program representative that has expressed strong views on what is permitted > and what is not (else you have your CA revoked or root pulled from the > program). > As Wayne has pointed out, CAs participating within the Mozilla program are expected to be following this list. That said, in my past messages regarding .9 and .10, I thought it was rather clear we’d like to see these methods removed if the community is unable to make progress in securing them, such that the limited exceptions can be removed and all can use them. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
