On Wed, Jan 2, 2019 at 7:10 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 02/01/2019 13:44, info--- via dev-security-policy wrote: > > El miércoles, 2 de enero de 2019, 12:49:52 (UTC+1), Rob Stradling > escribió: > >> On 09/10/2018 23:53, Wayne Thayer wrote: > >>> On Tue, Oct 9, 2018 at 3:43 AM Rob Stradling wrote:<snip> > >>> Wayne, Kathleen: > >>> Given the number of times that all the CAs in Mozilla's Root > Program > >>> have been reminded about Mozilla's requirements for disclosing > >>> intermediate certs, I wouldn't blame you if you decided to add > these 20 > >>> intermediate certs [5] to OneCRL immediately! > >>> > >>> I think we should give this serious consideration, although it doesn't > >>> help with the majority of these that are trusted for email. > >> > >> Hi Wayne. Did you give this serious consideration? > >> > The options to consider are: 1. Continue with current policy of treating non-disclosure of unconstrained intermediates as an incident. This could eventually lead to having the offending intermediate added to OneCRL, but in practice it never has because disclosure is not difficult. 2. Change our policy to state that any undisclosed intermediate we discover will be immediately and permanently added to OneCRL. 3. Wait for the "intermediate preloading" feature to ship in Firefox. As currently defined, this is not an enforcement mechanism for disclosure, but it could be. 4. Assume that CT enforcement will (eventually, on some undefined timeline for Firefox) force intermediate disclosures and eliminate the need for Mozilla to require CAs to manually disclose serverAuth intermediates in CCADB. I don't expect options 3 and 4 to be viable for S/MIME certificates anytime soon, so different options might be chosen for TLS and S/MIME. I'm interested to hear if anyone has opinions on these options. Thanks, Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy