On Wed, Jul 10, 2019 at 2:31 PM Phillip Hallam-Baker <ph...@hallambaker.com> wrote:
> On Wed, Jul 10, 2019 at 4:54 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Russ, >> >> > >> Perhaps one of us is confused because I think we're saying the same thing >> - >> that rules around inclusion of Logotype extensions in publicly-trusted >> certs should be in place before CAs begin to use this extension. >> > > I don't see how your proposed ban on logotypes is consistent. What that > would do is set up a situation in which it was impossible for CABForum to > develop rules for logotypes because one of the browsers had already banned > their use. > > How exactly does a Browser banning the use of an extension prevent the CAB Forum from developing rules to govern the use of said extension? If anything, it would seem to encourage the CAB Forum to take on that work. Also, as has been discussed, it is quite reasonable to argue that the inclusion of this extension is already forbidden in a BR-compliant certificate. A better way to state the requirement is that CAs should only issue > logotypes after CABForum has agreed validation criteria. But I think that > would be a mistake at this point because we probably want to have > experience of running the issue process before we actually try to > standardize it. > > I would be amenable to adding language that permits the use of the Logotype extension after the CAB Forum has adopted rules governing its use. I don't see that as a material change to my proposal because, either way, we have the option to change Mozilla's position based on our assessment of the rules established by the CAB Forum, as documented in policy section 2.3 "Baseline Requirements Conformance". I do not believe that changing the "MUST NOT" to "SHOULD NOT" reflects the consensus reached in this thread. I also do not believe that publicly-trusted certificates are the safe and prudent vehicle for "running the issue process before we actually try to standardize it". I can't see Web browsing being the first place people are going to use > logotypes. I think they are going to be most useful in other applications. > And we actually have rather a lot of those appearing right now. But they > are Applets consisting of a thin layer on top of a browser and the logotype > stuff is relevant to the thin layer rather than the substrate. > > If the use case isn't server auth or email protection, then publicly trusted certificates shouldn't be used. Full stop. How many times do we need to learn that lesson? > For example, I have lots of gadgets in my house. Right now, every > different vendor who does an IoT device has to write their own app and run > their own service. And the managers are really happy with that at the > moment because they see it as all upside. > > I think they will soon discover that most devices that are being made to > Internet aren't actually very useful if the only thing they connect to is a > manufacturer site and those start to cost money to run. So I think we will > end up with an open interconnect approach to IoT in the end regardless of > what a bunch of marketing VPs think should happen. Razor and blades models > are really profitable but they are also vanishingly rare because the number > 2 and 3 companies have an easy way to enter the market by opening up. > > Authenticating those devices to the users who bought them, authenticating > the code updates. Those are areas where the logotypes can be really useful. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
