TLS certificates for ECIES keys

2020-10-29 Thread Jacob Hoffman-Andrews via dev-security-policy
Hi all, ISRG is working with Apple and Google to deploy Prio, a "privacy-preserving system for the collection of aggregate statistics:" https://crypto.stanford.edu/prio/. Mozilla has previously demonstrated Prio for use with telemetry data:

Re: TLS certificates for ECIES keys

2020-10-29 Thread Jakob Bohm via dev-security-policy
On 2020-10-29 19:06, Jacob Hoffman-Andrews wrote: Hi all, ISRG is working with Apple and Google to deploy Prio, a "privacy-preserving system for the collection of aggregate statistics:" https://crypto.stanford.edu/prio/. Mozilla has previously demonstrated Prio for use with telemetry data:

Re: TLS certificates for ECIES keys

2020-10-29 Thread Matthew Hardeman via dev-security-policy
IFF the publicly trusted certificate for the special domain name is acquired in the normal fashion and is issued from the normal leaf certificate profile at LE, I don't see how the certificate could be claimed to be "misused" _by the subscriber_. To the extent that there is misuse in the

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

2020-10-29 Thread Jakob Bohm via dev-security-policy
On 2020-10-29 01:25, Ben Wilson wrote: Issue #186 in Github deals with the disclosure of CA certificates that directly or transitively chain up to an already-trusted, Mozilla-included root. A common scenario for the situation discussed in Issue

Re: TLS certificates for ECIES keys

2020-10-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Oct 2020 11:06:43 -0700 Jacob Hoffman-Andrews via dev-security-policy wrote: > I also have a concern about ecosystem impact. The Web PKI and > Certificate Transparency ecosystems have been gradually narrowing > their scope - for instance by requiring single-purpose TLS issuance >

Re: TLS certificates for ECIES keys

2020-10-29 Thread Matt Palmer via dev-security-policy
On Thu, Oct 29, 2020 at 01:56:53PM -0500, Matthew Hardeman via dev-security-policy wrote: > IFF the publicly trusted certificate for the special domain name is > acquired in the normal fashion and is issued from the normal leaf > certificate profile at LE, I don't see how the certificate could be

Re: TLS certificates for ECIES keys

2020-10-29 Thread Matthew Hardeman via dev-security-policy
On Thu, Oct 29, 2020 at 6:30 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: The way I read Jacob's description of the process, the subscriber is > "misusing" the certificate because they're not going to present it to TLS > clients to validate the identity