Re: Japan GPKI Root Renewal Request

2018-02-27 Thread apca2.2013--- via dev-security-policy
"I would like to again point out that simply waiting for misissued certificates to expire is not an acceptable response." This is a misunderstanding. We are preparing to revoke certificates immediately, rather than waiting for certificates issued prior to 2017 to expire. However, even if we

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Jakob Bohm via dev-security-policy
On 27/02/2018 17:20, Wayne Thayer wrote: I am seeking input on this proposal: Work is underway to allow Firefox add-ons to read certificate information via WebExtensions APIs [1]. It has also been proposed [2] that the WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 27, 2018 at 6:15 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In the bug I referenced as [2], people said that they specifically need to > be able to override "negative" certificate validation decisions, so they > may not see this as a

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Peter Saint-Andre via dev-security-policy
On 2/27/18 4:15 PM, Wayne Thayer wrote: > On Tue, Feb 27, 2018 at 3:40 PM, Peter Saint-Andre via > dev-security-policy > wrote: > > On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > > Hi,

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 27, 2018 at 3:40 PM, Peter Saint-Andre via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > > Hi, > > > > On Tue, 27 Feb 2018 09:20:33 -0700 > > Wayne Thayer via dev-security-policy > >

Re: Japan GPKI Root Renewal Request

2018-02-27 Thread Wayne Thayer via dev-security-policy
To conclude this discussion, Mozilla is denying the Japanese Government ApplicationCA2 Root inclusion request. I'd like to thank everyone for your constructive input into the discussion, and I'd like to thank the Japanese Government representatives for their patience and work to address issues as

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Peter Saint-Andre via dev-security-policy
On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Tue, 27 Feb 2018 09:20:33 -0700 > Wayne Thayer via dev-security-policy > wrote: > >> This capability existed in the legacy Firefox extension system that >> was deprecated last year.

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Hanno Böck via dev-security-policy
Hi, On Tue, 27 Feb 2018 09:20:33 -0700 Wayne Thayer via dev-security-policy wrote: > This capability existed in the legacy Firefox extension system that > was deprecated last year. It was used to implement stricter security > mechanisms (e.g. CertPatrol)

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Jonathan Rudenberg via dev-security-policy
> On Feb 27, 2018, at 16:47, Wayne Thayer via dev-security-policy > wrote: > > On Tue, Feb 27, 2018 at 2:40 PM, Jonathan Rudenberg > wrote: > >> >>> On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy < >>

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 27, 2018 at 2:40 PM, Jonathan Rudenberg wrote: > > > On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy < >

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Jonathan Rudenberg via dev-security-policy
> On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy > wrote: > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy >> wrote: >> >> This request has been in public discussion

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Jonathan Rudenberg via dev-security-policy
> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy > wrote: > > This request has been in public discussion for more than 6 months, so I > would like to make a decision soon. If you have comments or concerns with > this request, please post

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Wayne Thayer via dev-security-policy
This request has been in public discussion for more than 6 months, so I would like to make a decision soon. If you have comments or concerns with this request, please post them here by 6-March 2018. On Tue, Feb 27, 2018 at 7:33 AM, Olfa Kaddachi via dev-security-policy <

RE: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Tim Hollebeek via dev-security-policy
Wow, this is a tough one. I've wanted to write such an extension myself for quite some time. In fact, I probably would write one or more extensions, if Mozilla were to allow this, for a variety of use cases. That said, such extensions are extremely dangerous, and users are just going to

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Matthew Hardeman via dev-security-policy
Altering the security UI based on a third party extension seems risky in either direction. If a broad pinning scheme was unlikely to cause problems, HPKP would still be a thing. Other criteria for stricter than standard validation seem hard to guarantee over the long haul also. Even if a whole

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Ryan Sleevi via dev-security-policy
Chrome has, to date, intentionally rejected the ability of extensions to modify the connection security attributes in this way. Mozilla will need to make a call based on its trust of the extensions ecosystem, the potential for harm, and the various other impacts. For example, an extension that

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread jomo via dev-security-policy
IMHO it should be possible to affect the connection and the UI. This would allow plug-ins for alternative certificate validation methods, such as Convergence (https://en.wikipedia.org/wiki/Convergence_%28SSL%29) / FreeSpeechMe (https://bit.namecoin.org/freespeechme.html). While I agree that it is

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Alex Gaynor via dev-security-policy
A reasonable compromise that jumps out to me is allowing extensions to make an otherwise-secure connection fail, but not allow them to rehabilitate an insecure connection. This would allow experimenting with stricter controls while avoiding some of the really scary risks. Alex On Tue, Feb 27,

Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Wayne Thayer via dev-security-policy
I am seeking input on this proposal: Work is underway to allow Firefox add-ons to read certificate information via WebExtensions APIs [1]. It has also been proposed [2] that the WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to change or ignore the normal results of

Re: TunRootCA2 root inclusion request

2018-02-27 Thread Olfa Kaddachi via dev-security-policy
Dear Wayne, The TunRootCA2 root CA operates under the following CPS: http://www.certification.tn/pub/PC-PDC_AC_RACINE-NG-01-EN.pdf ==> The TunRootCA2 operates under a new version of the CP/CPS: : http://www.certification.tn/sites/default/files/documents/CPCPS-NG-EN-02.pdf The