On 18/10/2016 00:39, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:

Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.

I think the problems for the open source community are:
1) There is no good way to deal with revocation checking, it
   doesn't have anything that deals with something like OneCRL
2) Mozilla doesn't care about non-https.

The solution that seems to be prefered for 1) is to have mandatory
OCSP stapling. But I don't see that happening any time soon.

Let me add:

3) Any ad-hoc code added to Mozilla products (e.g. to apply some new
  checking method for WoSign certificates) will not magically appear
  in other code at the same time, if ever.

4) Contrary to what OCSP-stapling fans claim, it is not a panacea, and
  is notably missing in many server side code bases.

5) OneCRL, even if it was checked by other projects, is an arbitrary
  hodgepodge of CA revocations, SubCA revocations and selected end-cert
  revocations, that cannot possibly match the policies of anyone except
  its maintainers.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to