On Tue, Dec 18, 2018 at 3:47 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > Removing the "underscore mandatory" and "specific name X_Y mandatory" > rules > from deployed systems without introducing security holes takes more than > the > 1 month they have given that the annual Thanksgiving-to-NewYears lockdown > has been mentioned in other global issues. (In fact this is the first > subscriber/RP interfering BR effective date hitting the Xmas season since > the SHA-1 deprecation). > > The only thing that's required by 15-Jan is that existing certificates containing underscores need to be replaced with new ones with the same dNSNames. The deadline for updating systems to remove dependencies on underscores in certificates is 30-April. The 15-Jan deadline was negotiated with holiday change freezes in mind. The assumption was that these freezes end in early January, providing sufficient time to perform a routine certificate replacement. While I understand that the replacement is not necessarily as simple as it should be for all affected systems, and in other cases it's simple but there are lots of certificates to replace, I think this is really just highlighting the lack of agility in existing enterprise systems that use publicly-trusted certificates. Hopefully this "huge mess" will spur improvements over time. I am also struggling with the argument that "revoking these certificates will cause a massive outage, but we can't replace them due to our change freeze." Given this position, I sincerely hope that no severe zero-days are released during the holidays. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
