On Mon, January 18, 2016 3:01 pm, Jakob Bohm wrote: > I was attempting to avoid the even-harder-to-debug error where behavior > depends on how a root cert was added to the configuration.
I think you underestimate the challenges to debugging your solution proposes. It's fairly easy to understand that "shipped by Mozilla" has a SHA-1 policy, much in the same way it must adhere to the BRs and Mozilla inclusion policy, and *any* local changes are exempt from that. It's much harder to explain why this publicly trusted root, which may have N number of versions of the self-signed certificate available (for concrete examples, look at the MD5, SHA-1, and SHA-2 versions of Symantec's various roots) It also makes it harder to alter behaviour. If a vendor product that only signs MITM certs with SHA-1, and which happens to use SHA-2 for the self-signed root (and yes, I have seen such certificates out there - usually because the root is generated off-device and then installed on the device, while the leafs are all generated on-device), then you have to go re-generate the root in order to meet your proposed policy language. So I'm definitely in agreement with Richard that it'd be much harder to debug and advise people on, compared to the simpler "Manually installed roots are exempt". _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
