Hi, On Tue, 27 Feb 2018 09:20:33 -0700 Wayne Thayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> This capability existed in the legacy Firefox extension system that > was deprecated last year. It was used to implement stricter security > mechanisms (e.g. CertPatrol) and to experiment with new mechanisms > such as Certificate Transparency and DANE. Wouldn't be a good compromise to say: Extensions can downgrade security, but they can't upgrade it? I.e. if a certificate is valid according to "normal" WebPKI validation but there's an additional validation mechanism that fails the extension could say "tread this like an untrusted cert", but it couldn't say "our positive validation of that cert overrides the normal validation". Is there any existing use case that would not work with that? As far as I can see and if I understand it right all of those examples should be able to work on top of existing validation. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy