On Tue, Jun 04, 2024 at 04:31:15PM -0700, 'Amir Omidi (aaomidi)' via dev-security-policy@mozilla.org wrote: > TWCA has a couple of incidents open for revocation delays. I think until > this CA can show that it can follow its own CP/CPS and BRs, new trust > anchors from that CA should not be accepted into the Mozilla Trust Store.
This exchange (in https://bugzilla.mozilla.org/show_bug.cgi?id=1884568#c10) gives me reason for concern: > > Can you share how customers are being advised to explore alternate > > methods to certificate pinning and what those methods might be? > > We currently suggest three possible methods: > 1. Binding the public key instead of the certificate fingerprint. This will work really great, right up until the point that the key gets compromised... is it expected that a two-week delay in revocation for a compromised private key is reasonable, just because the certificate is pinned in a banking app? The only answer to "how should we pin WebPKI certs?" that is in any way defensible is "DON'T". If you want/need to pin, then don't do it with WebPKI certs -- or, heck, don't use certs at all. If you've got an out-of-band mechanism for determining trust in a given bunch of secret bytes, X.509 isn't buying you anything except a widely-supported public key delivery mechanism. I'd personally like to see Mozilla strongly and actively discourage certificate pinning, as it is a dangerous practice that is, quite clearly, detrimental to the security of the WebPKI (it seems to be the de rigeur plausible-looking excuse for CAs delaying revocation). As a bonus, maintenance of private PKIs for those organisations for whom pinning is deemed a security benefit can be a lucrative source of income for CAs. Seems like a win-win to me! Also, from that same bug: > 1 is used for communication with Financial Information Service Co., > Ltd. (FISC, the national interbank processing center) and requires > system update on FISC side. Using a WebPKI certificate for client authentication seems... particularly unwise. I know I'm not going to get it, but I'd *really* like to hear what the rationale for doing that was. - Matt -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c95adff8-09d8-416a-bc4c-21b9208c1eac%40mtasv.net.
