On 05/12/2018 22:21, Wayne Thayer wrote:
On Wed, Dec 5, 2018 at 3:48 AM Dimitris Zacharopoulos via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
On 5/12/2018 10:02 π.μ., Fotis Loukos wrote:
The proposal was apparently to further restrict the ability of CAs to
make exceptions on their own, by requiring all such exceptions to go
through the public forums where the root programs can challenge or even
deny a proposed exception, after hearing the case by case arguments for
why an exception should be granted.
effectively 'legalizing' BR violations after browsers' concent (granting
an exception). Before two paragraphs you stated that you never proposed
making an extended revocation legal.
Regards,
Fotis
You missed one of Jakob's important point. This usually happens when you
clip-paste specific sentences that change the meaning of a whole
conversation.
"
But only if one ignores the
reality that such exceptions currently happen with little or no
oversight."
I am particularly troubled by the proposal that exceptions be granted by
Mozilla as part of some recognized process. There is a huge difference
between this and the current process in which CAs may choose to take
exceptions as explicit violations. Even if the result is the same, granting
exceptions transfers the risk from the CA to Mozilla. We then are
responsible for assessing the potential impact, and if we get it wrong,
it's our fault. Please, let's not go there. As has been stated, if there is
really no risk to violating a requirement, then it's reasonable to make a
case for removing that requirement.
The problematic cases are these:
- Longer-than-standard revocation delays as part of another incident
(visible in incident reports post-event, such as the recent report
by Microsec).
- Longer-than-standard revocation delays outside other incidents
(currently not reported to the community).
Discussions of permitting longer revocations before-the-fact have
happened in a few larger scope situations:
- During the Symantec incidents, there was public discussions of
timetables for revoking certificates issued via certain problematic
RAs.
- In the discussion of underscores in DNS names (not on this list),
there was a public decision to set revocation dates more than 5
days after the discussion.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
