On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote: > A variation of this, would be to create (compacted) whitelists for > specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire point of restarting this thread, and in the previous discussion, was that magic (compacted) whitelists are a bit like magic beans; yes, they can solve all our problems, but they don't exist, and so we have to decide what to do with the remaining costs. In this case, the fundamental concern is that a whitelist of certs is too large, even compacted, and probabilistic structures are also too large and too risky when compacted to a desired size. So we end up with alternative whitelists, such as what I proposed. > then tag the CA root as requiring > other measures (such as CT) where not overridden via whitelisting. > That way, the CA cannot bypass the measure by creating new intermediary > certs for which no trust restrictions exist. This is literally part of what I proposed. "It could be combined with, say, requiring CT for new certs." _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy