On Friday, October 14, 2016 at 2:24:37 PM UTC-7, Hanno Böck wrote:
> From my understanding the problem here is that the alternative of simply
> whitelisting the existing certificates isn't feasible, because there
> are too many of them.
Well, there's a spectrum, right? That's been discussed on the list - whether a
whitelist of a portion of certificates, as part of an overall phase down, is
Clearly, there's a spectrum of options - which range from no impact whatsoever
to clients (e.g. continue trusting indefinitely) to immediate impact (complete
distrust). I was mostly trying to figure out what criteria were being weighted
/ how the choice of where to end on the spectrum was chosen.
As it stands, it seems a little inconsistent with respect to security
messaging, and seems to leave Mozilla clients at risk (of backdating), but it
avoids any impact to sites/users. Alternatively, Mozilla might choose to more
consistently/aggressively protect users, but with the corresponding impact to
sites/users. And then there's the broader discussion of whether or not Mozilla
feels it should strive to protect non-Mozilla users, or if that's an
externality that cannot be accounted for, or somewhere in between.
I apologize if I wasn't clearer, but I was trying to communicate that there are
a number of notable, non-Mozilla platforms, that don't support whitelisting. So
the only viable solution for them is full trust or full distrust (these
platforms have the ability to update trust, but not to add more nuanced
options. This is the case for Windows and Android, for example). So a Mozilla
option that leaves partial trust, these other players must consider either full
trust or full distrust - and that's the ecosystem challenge.
> *however* from what I remember almost all the time the free options of
> startcom/wosign were limited to one year. (I think there was a short
> period of time when it was possible to get 3-year-certs from wosign for
> free, but they removed that shortly afterwards.)
It was quite some time, and outside of the free cert realm, it certainly was
easier to get 3year certs. As noted elsewhere, the proposal would basically
involve trusting for 3y.
dev-security-policy mailing list