On Thu, Dec 27, 2018 at 9:30 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Also it isn't the "Web PKI". It is the "Public TLS PKI", which is not > confined to Web Browsers surfing online shops and social networks, and > hasn't > been since at least the day TLS was made an IETF standard. > This reply is filled with a number of unrelated and unproductive non-sequitors, but this one is particularly worth calling out as wrong - historically and factually. TLS has, as with the specifications that preceded it (SSL, PCT), treated PKI as an opaque black box for which inputs go in, and a yes/no come out. TLS has entirely, and intentionally, left unspecified what goes on within that box. The existence of TLS, much like the existence of S/MIME, no more defines the PKI than it defines the color of the sky or what time to set your alarm for the morning. The concept of the PKI has, even in traces of the X.500 DIT, considered itself a loose amalgamation of various different PKIs, interoperating where they are compatible (technology, policies, implementation), but otherwise managed distinct. This can be seen from the first discussions of audits, which were concerned about assessing the interoperability of these distinct PKIs, to the development and foundation of the PKIX WG, which produced a number of documents to smooth the technological differences (e.g. RFC 5280-and-predecessors) and policy differences (3647 and predecessors). Yes, it very much is the "Web PKI", and has been for some time. Considering those sets of CAs bundled in the context for SSL 2.0 and Netscape Navigator were very much intended for the Web, it would be demonstrable ignorance to argue otherwise. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy