On 06/10/16 06:46, Peter Bowen wrote: > I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to update, but that is great hindsight. We have the problem now, so we > need an answer.
The trouble with this line of argument is that way back at the beginning of the CAB Forum in the middle of the last decade, we had various troubles of this sort where CAs said "well, people keep embedding our roots and then coming to us and expecting certificates, so we can't do X, Y or Z because otherwise they'll be in trouble" - i.e. exactly the same problem, and yet here we are in 2016 and it keeps happening. How can we dissuade people from this idiotic behaviour? It seems like CAs haven't managed to educate them (if they've even tried). One starts to think that only if this course of action becomes painful and expensive rather than grudgingly tolerated will word get around. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
