On Friday, October 14, 2016 at 2:24:37 PM UTC-7, Hanno Böck wrote:
> From my understanding the problem here is that the alternative of simply
> whitelisting the existing certificates isn't feasible, because there
> are too many of them.

Well, there's a spectrum, right? That's been discussed on the list - whether a 
whitelist of a portion of certificates, as part of an overall phase down, is 

Clearly, there's a spectrum of options - which range from no impact whatsoever 
to clients (e.g. continue trusting indefinitely) to immediate impact (complete 
distrust). I was mostly trying to figure out what criteria were being weighted 
/ how the choice of where to end on the spectrum was chosen.

As it stands, it seems a little inconsistent with respect to security 
messaging, and seems to leave Mozilla clients at risk (of backdating), but it 
avoids any impact to sites/users. Alternatively, Mozilla might choose to more 
consistently/aggressively protect users, but with the corresponding impact to 
sites/users. And then there's the broader discussion of whether or not Mozilla 
feels it should strive to protect non-Mozilla users, or if that's an 
externality that cannot be accounted for, or somewhere in between.

I apologize if I wasn't clearer, but I was trying to communicate that there are 
a number of notable, non-Mozilla platforms, that don't support whitelisting. So 
the only viable solution for them is full trust or full distrust (these 
platforms have the ability to update trust, but not to add more nuanced 
options. This is the case for Windows and Android, for example). So a Mozilla 
option that leaves partial trust, these other players must consider either full 
trust or full distrust - and that's the ecosystem challenge.

> *however* from what I remember almost all the time the free options of
> startcom/wosign were limited to one year. (I think there was a short
> period of time when it was possible to get 3-year-certs from wosign for
> free, but they removed that shortly afterwards.)

It was quite some time, and outside of the free cert realm, it certainly was 
easier to get 3year certs. As noted elsewhere, the proposal would basically 
involve trusting for 3y.
dev-security-policy mailing list

Reply via email to