Use cases of publicly-trusted certificates

2018-12-26 Thread Peter Bowen via dev-security-policy
In the discussion of how to handle certain certificates that no longer meet CA/Browser Forum baseline requirements, Wayne asked for the "Reason that publicly-trusted certificates are in use" by the customers. This seems to imply that Mozilla has an opinion that the default should not be to use

Re: Underscore characters

2018-12-26 Thread Matt Palmer via dev-security-policy
On Wed, Dec 26, 2018 at 04:13:40PM +, Jeremy Rowley via dev-security-policy wrote: > The trust stores are always free to ignore the CAB Forum mandates and make > their own rules. Mozilla has in the past (see the Mozilla audit > criteria). Whilst the trust stores *can* make their own rules,

Re: Underscore characters

2018-12-26 Thread Matt Palmer via dev-security-policy
On Wed, Dec 26, 2018 at 06:02:57PM +, Jeremy Rowley via dev-security-policy wrote: > Much better to treat this question as “We know X is going to happen. > What’s the best way to mitigate the concerns of the community?” Exception > was the wrong word in my original post. I should have used

Re: Underscore characters

2018-12-26 Thread Ryan Sleevi via dev-security-policy
On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley wrote: > I don’t think I’m arguing that CAs should ever ignore the BRs. I’m arguing > that deciding the consequences of failing to follow the BRs falls in the > hands of the browsers. But I think you definitely highlighted why this > discussion is

RE: Underscore characters

2018-12-26 Thread Jeremy Rowley via dev-security-policy
I don’t think I’m arguing that CAs should ever ignore the BRs. I’m arguing that deciding the consequences of failing to follow the BRs falls in the hands of the browsers. But I think you definitely highlighted why this discussion is confusing. I think all agree on the following: 1.

Re: Underscore characters

2018-12-26 Thread Ryan Sleevi via dev-security-policy
On Wed, Dec 26, 2018 at 11:13 AM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hey Matt, > > The trust stores are always free to ignore the CAB Forum mandates and make > their own rules. Mozilla has in the past (see the Mozilla audit criteria > exception

RE: Underscore characters

2018-12-26 Thread Jeremy Rowley via dev-security-policy
Hey Matt, The trust stores are always free to ignore the CAB Forum mandates and make their own rules. Mozilla has in the past (see the Mozilla audit criteria exception for other audits outside of Webtrust and ETSI). The root stores are also the entities that determine what happens if the