On Thu, May 9, 2019 at 10:44 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 09/05/2019 16:35, Ryan Sleevi wrote: > > Given that the remark is that such a desire is common, perhaps you can > > provide some external references documenting how one might go about > > configuring such a set-up, particularly in the context of TLS trust? > > Similarly, I'm not aware of any system that supports binding S/MIME > > identities to a particularly CA (effectively, CA pinning) - perhaps you > can > > provide documentation and reference for systems that perform this? > > > > Thanks for helping me understand how this 'common' scenario is actually > > implemented, especially given that the underlying codebases do not > support > > such distinctions. > > > > My description is based on readily available information from the > following sources, that you should also have access to: > It looks like your links to external references may have gotten stripped, as I didn't happen to receive any. As it relates to the topic at hand, the system you described is simply that of internal CAs, and does not demonstrate a need to use publicly trusted CAs. Further, going back to your previous message, to which I was replying to make sure I did not misunderstand, given that you stated it was common, it seemed we established that such scenarios in that message, and further expanded upon in this, already have the capability for enterprise management. I wanted to make sure I did my best to understand, so that we can have productive engagement on substance, specifically around whether there is a technical necessity for the use of non-Root CAs to be capable of issuance under multiple different trust purposes. It does not seem as if there's been any external references to establish a technical necessity, so it does not seem like the policy needs to be modified, based on the available evidence. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
