On Saturday, July 4, 2020 at 2:06:53 PM UTC-4, Ryan Sleevi wrote: > On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > As part of this, you should re-evaluate certificate pinning. As one of the > authors of that specification, and indeed, my co-authors on the > specification agree, certificate pinning does more harm than good, for > precisely this reason. > I agree that certificate pinning is a bad practice, but it is not a decision that I made or that I can reverse quickly. It will take time to convince several different actors that this needs to change.
> I realize you're new here, and so I encourage you to read > https://wiki.mozilla.org/CA/Policy_Participants for context about the > nature of participation. Thank you for helping me understand who the participants in this discussion are and what roles they fill. > I'm very familiar with the implications of applying these rules, both > personally and professionally. This is why policies such as > https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation exist. > This is where such information is shared, gathered, and considered, as > provided by the CA. It is up to the CA to demonstrate the balance of > equities, but also to ensure that going forward, they actually adhere to > the rules they agreed to as a condition of trust. Simply throwing out > agreements and contractual obligations when it's inconvenient, > *especially *when > these were scenarios contemplated when they were written and CAs > acknowledged they would take steps to ensure they're followed, isn't a > fair, equitable, or secure system. I think that the lack of fairness comes from the fact that the CA/B forum only represents the view points of two interests - the CAs and the Browser vendors. Who represents the interests of industries and end users? Nobody. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
