Eric Mill via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>This is a clear, straightforward statement of perhaps the single biggest core >issue that limits the agility and security of the Web PKI That's not the biggest issue by a long shot. The biggest issue is that the public PKI (meaning public/commercial CAs, not sure what the best collective noun for that is) assumes that the only possible use for certificates is the web. For all intents and purposes, public PKI = Web PKI. For example for embedded systems, SCADA devices, anything on an RFC 1918 LAN, and much more, the only appropriate expiry date for a certificate is never. However, since the Web PKI has decided that certificates should constantly expire because $reasons, everything that isn't the web has to deal with this, or more usually suffer under it. The same goes for protocols like HTTP and TLS, the current versions (HTTP/2 /3 and TLS 1.3) are designed for efficient content delivery by large web service providers above everything else. When some SCADA folks requested a few minor changes to the SCADA-hostile HTTP/2 from the WG, not mandatory but just negotiable options to make it more usable in a SCADA environment, the response was "let them eat HTTP/1.1". In other words they'd explicitly forked HTTP, there was HTTP/2 for the web and HTTP/1.1 for the rest of them. So the problem isn't "everyone should do what the Web PKI wants, no matter how inappropriate it is in their environment", it's "CAs (and protocol designers) need to acknowledge that something other than the web exists and accommodate it". Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
