On Friday, 8 July 2016 07:04:49 UTC+1, Peter Gutmann wrote: > Various SCEP drafts have contained all sorts of stuff that was dropped when > no-one cared about it. The "out of band"/"beyond the scope of this document" > is standard boilerplate that's used when no-one cares enough to include it in > the document. In fact it pretty much explicitly says that it's not covered in > the doc because no-one cared how it was done.
But alas, even if you didn't care, it does matter. Which is why there's VU#971035 SCEP (and all the real SCEP implementations that I could find) take the optimistic view that this is somebody else's problem, and so the practical result is security theatre. Certificates are issued, public key mathematics is done, there is superficial appearance of a secure system but no useful assurance of identity is achieved and so no real threat is neutralised. > What does that have to do with no-one bothering to add whatever magic > ingredient ACME is claiming to have to any other protocol that does the same > thing? This idea that you should just be able to "add whatever magic ingredient" is the exact sort of naivety that Bruce is talking about. > OK, I think I can parse that convoluted sentence... in response: Each week who > knows how many certificates are issued using HTTP POST, Xenroll.dll, SCEP, > CMP, and who knows what else. What's your point? This is still mozilla.dev.security.policy. ACME automatically issues certificates that are trustworthy in the web PKI. That's the point of the protocol and the point of my statistic. Counting up certificates that aren't ever going to be trusted by Mozilla's software may make you feel better about the time you invested, but it's not relevant to this group. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
