Intent to ship: Intermediate CA Preloading

2020-03-09 Thread Thyla van der Merwe 
*Summary*: As of Firefox 75, Intermediate CA Preloading will be enabled for
all Desktop users. This means that all intermediate CAs disclosed to
Mozilla will be pre-loaded into profiles, combatting the common secure
website misconfiguration of forgetting to include these certificates.
Previously, progression of this work was stalled by a dependency on rkv
improvements; this has now been resolved. Further details can be found this
comprehensive dev-platform post:
https://groups.google.com/forum/#!msg/mozilla.dev.platform/ATbLAQpWLXE/BZqxGxyyBQAJ


*Tracking Bug*: <https://bugzilla.mozilla.org/show_bug.cgi?id=1562657>
https://bugzilla.mozilla.org/show_bug.cgi?id=1535662

*Standard*: N/A.

*Estimated target release*: Firefox 75

*Platform coverage*: All Desktop platforms.

*Preference*: We intend to ship this feature as enabled by default, but it
may be disabled by setting the
“security.remote_settings.intermediates.enabled" pref to ‘false’.

*DevTools bug*: N/A.

*Other browsers*: N/A.

*Testing*: Enabled in pre-release since Firefox 68

*Secure contexts*: N/A.

*Bug to enable*: https://bugzilla.mozilla.org/show_bug.cgi?id=1603834

Please do not hesitate to reach out if you have any further questions or
concerns.


Best,

Thyla



-- 
Dr. Thyla van der Merwe
Cryptography Engineering Manager
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to implement: Delegated Credentials for TLS 1.3

2019-04-11 Thread Thyla van der Merwe 
*Summary*: We would like to experiment with Delegated Credentials, a
proposed TLS 1.3 extension. The Delegated Credentials mechanism allows
operators to delegate their own credentials for use in TLS 1.3, without
breaking compatibility with clients that do not support this extension.
Typically, Certification Authorities (CAs) issue long-lived certificates
which restrict servers to using the authentication mechanisms for which the
CA-issued credentials are valid. This is not ideal in situations where
server operators would like to use short-lived credentials for servers
operating in low-trust zones such as CDNs, for example. To remove
dependencies on external CAs (and the associated cost of potentially
requesting short-lived credentials from these CAs), the Delegated
Credentials mechanism allows a TLS server operator to issue its own,
short-lived credentials within the scope of a certificate issued by an
external CA. In other words, trust is still provided via an externally
issued end-entity certificate but server operators can now limit the
exposure of compromise through the use of short-lived credentials that are
signed by the private key corresponding to the end-entity certificate
(i.e., the end-entity public key). These short-lived “delegated
credentials” are valid for a  maximum of seven days, and operate as a
server’s working keys for the TLS 1.3 connection. Further details can be
found in the specification linked below.

We are partnering with Cloudflare on this initiative. Christopher Patton
has opened a bug and is starting to submit code for review. Once the client
code has landed, and the server-side code is ready, we can contemplate
experimental interop testing with Nightly (details still to be decided).

*Bug*: https://bugzilla.mozilla.org/show_bug.cgi?id=1540403

*Link to standard*: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03

*Platform coverage - where will this be available?* All Gecko

*Estimated target release*: None; prerelease-only currently.

*Preference behind which this will be implemented*: This will be enabled
behind a pref but the particulars are yet to be determined.


Please do not hesitate to contact me if you have any further questions or
concerns.


Thank you,

Thyla


-- 
Dr. Thyla van der Merwe
Cryptography Engineering Manager
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform