On Sat, Jan 20, 2018 at 1:07 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> <snip> > > Based on this, do we need a ballot to remove them from the BRs, or put in > > a statement in them to the effect that they can be used only if approved > by > > Google on this list? I’m not picking on Ryan, but he’s the only root > > program representative that has expressed strong views on what is > permitted > > and what is not (else you have your CA revoked or root pulled from the > > program). > > > > As Wayne has pointed out, CAs participating within the Mozilla program are > expected to be following this list. > > That said, in my past messages regarding .9 and .10, I thought it was > rather clear we’d like to see these methods removed if the community is > unable to make progress in securing them, such that the limited exceptions > can be removed and all can use them. > > Mozilla's position is as follows: Given that the specific vulnerabilities present in BR 3.2.2.4 methods .9 and .10 were reported nearly two weeks ago, Mozilla's minimum expectation is that all CAs using either method have disclosed that fact and have described their response on this list. Any CA that has not is now requested to do so immediately. Currently, Mozilla views new or continued use of these methods for domain validation to be misissuance unless the CA has first implemented and disclosed an appropriate mitigation for the known vulnerabilities. While Mozilla is open to strengthening these methods, CAs are strongly discouraged from using them and are encouraged to migrate away from them until such improvements are vetted and standardized by the CA/Browser Forum. Note: Please recognize that Mozilla's position applies to our own CA Program and in no way changes or overrides earlier statements made by Ryan representing Chrome on this list. I have added issue #116 to the PKI Policy repository [1] to consider removing methods 1, 5, 9, and 10 from a future version of the root store policy. - Wayne [1] https://github.com/mozilla/pkipolicy/issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy