On Sat, Jul 4, 2020 at 9:21 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> So the problem isn't "everyone should do what the Web PKI wants, no matter > how > inappropriate it is in their environment", it's "CAs (and protocol > designers) > need to acknowledge that something other than the web exists and > accommodate > it". And they are accomodated - by using something other than the Web PKI. Your examples of SCADA are apt: there's absolutely no reason to assume a default phone device, for example, should be able to manage a SCADA device. Of course we'd laugh at that and say "Oh god, who would do something that stupid?" Yet that's what happens when one tries to make a one-size fits-all PKI. Of course the PKI technologies accommodate these scenarios: you use locally trusted anchors, specific to your environment, and hope that the OS vendor does not remove support for your use case in a subsequent update. Yet it would be grossly negligent if we allowed SCADA, in your example, to hold back the evolution of the Web. As you yourself note, it's something other than the Web. And it can use its own PKI. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
