On Sun, Jul 05, 2020 at 09:30:33PM +0000, Buschart, Rufus via dev-security-policy wrote: > > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > > On Behalf Of Matt Palmer via dev-security-policy > > Sent: Sonntag, 5. Juli 2020 06:36 > > > > On Sat, Jul 04, 2020 at 07:42:12PM -0700, Peter Bowen wrote: > > > On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy > > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > > On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via > > > > > dev-security-policy wrote: > > > > > > > > > > In the CIA triad Availability is as important as Confidentiality. > > > > > Has anyone done a threat model and a serious risk analysis to > > > > > determine what a reasonable risk mitigation strategy is? > > > > > > > > Did you do a threat model and a serious risk analysis before you > > > > chose to use the WebPKI in your application? > > > > > > I think it is important to keep in mind that many of the CA > > > certificates that were identified are constrained to not issue TLS > > > certificates. The certificates they issue are explicitly excluded > > > from the Mozilla CA program requirements. > > > > Yes, I'm aware of that. > > > > > I don't think it is reasonable to assert that everyone impacted by > > > this should have been aware of the possibly of revocation > > > > At the limits, I agree with you. However, to whatever degree that there is > > complaining to be done, it should be directed at the CA(s) > > which sold a product that, it is now clear, was not fit for whatever > > purpose it has been put to, and not at Mozilla. > > Let me quote from the NSS website of Mozilla > (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview): > > If you want to add support for SSL, S/MIME, or other Internet security > standards to your application, you can use Network Security Services (NSS) to > implement > all your security features. NSS provides a complete open-source > implementation of the crypto libraries used by AOL, Red Hat, Google, and > other companies in a > variety of products, including the following:
[snip] Are you using NSS for your S/MIME implementation? If not, I fail to see how it is relevant here. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
