On Wed, May 15, 2019 at 11:52 AM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I believe the case where Google requests a certificate from the CA is > accommodated but not the case where SAAS requests a certificate from the CA > based on the authentication of the user it did with Google. > I think this bears expansion, because I don't think it's been clearly documented what flow you believe is currently permitted today that will be prevented tomorrow with this change. The level of abstraction here doesn't help, because understanding the state diagram of what the SAAS is requesting, and who it's requesting it of, is vital to understanding the security properties. I also believe that the nature of how email addresses are used, and how > many there are (billions) suggests that delegation should be allowed if > scoped very narrowly. > I don't believe so, based on the description, that this aligns with how they're used or that this is desirable to allow. But I _suspect_ that it's merely based on the information presented, and by not having a clearer picture of your proposed flow. > > Hopefully, this analysis avoids the emotive aspects of the previous > posts, > > and focuses purely on what technical steps are being provided. > > I was not trying to be emotive, I was trying to make sure the consequences > of the proposed wording is clear. > It's an appeal to impact, but it's missing the substantive part: the demonstration of how this is a functional change from the already Forbidden Practice, and while it lays out the "desired end result", doesn't describe it in terms of who is validating what, and when, which is the key thing to assess for this discussion. > It is true that ping mails could be replaced with users logging being > redirected from the application they use to a CA where they authenticate to > the CA via one of these federated authentication schemes and then be > federated back. This has all the same issues and is not materially > different than a ping mail though when looking at usability which is why I > omitted it but as you point out it is still possible. > It is also possible for a mail service provider to become a CA, or provide > certificates through a CA by proving control of the base domain and then > being authoritative for the local part of the address but this limits the > use of certificates in this case to email providers that have built this. > > These options leave SAAS providers with the following choices: > a) use private trust certificates > d) use public trust certificates and accept it makes your user experience > non-competitive > c) do not use certificates because it makes your user experience > non-competitive > I'm still at an absolute loss for understanding your flow and what you believe is validated, so I do not feel able to evaluate these alternatives, other than to note that I find problems with all of them. I'm hoping you can, focusing solely on the CA validation process, describe who is validating what, and when. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
