On Thu, 11 Feb 2021 15:12:46 -0500 Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> So I'd say feel free to ask your question there, which helps make > sure it's answered before the issue is closed. Good point. In this case Arvid has clarified that in fact the ticket now has an updated sheet which (I haven't examined it yet) should satisfy my question so I shan't follow up there except in the event I have further questions. > This is one of many outstanding items still > for the Validation Working Group of the CA/B Forum, as possible > mitigations were also discussed. In short, "capability URLs" (where > the entire URL is, in effect, the capability) are dangerous. Good to know. > Note that there have been far more than "Ten Blessed Methods" since > those discussions, so perhaps it's clearer to just say 3.2.2.4. Personally I just like the way "Ten Blessed Methods" sounds. I wouldn't reliably recognise all Thirty Six Views of Mount Fuji, everything except (what I'd call) Big Wave, and Watermill could be any of dozens of imitators as far as this uneducated eye is concerned - and of course there are actually ten more of them, but we still call it "Thirty Six Views of Mount Fuji". The addition (and deprecation) of methods is an expected and desirable course for the Baseline Requirements, and I am watching even if I don't comment on it. However because everything is formatted according to RFC 3647 (which is a good thing), section 3.2.2.4 doesn't carry the same implication as "Ten Blessed Methods". BR 1.3.0 had a section 3.2.2.4 it's just that it doesn't in fact set down which methods must be used, which is how we got here in the first place. But I'm not old enough just yet to be incapable of learning new tricks, I've learned to call it a "blocklist" not a "blacklist" and I'm sure if everybody really starts to refer only to "3.2.2.4" I'll get used to that. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy