On 18/10/2016 00:39, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.
I think the problems for the open source community are:
1) There is no good way to deal with revocation checking, it
doesn't have anything that deals with something like OneCRL
2) Mozilla doesn't care about non-https.
The solution that seems to be prefered for 1) is to have mandatory
OCSP stapling. But I don't see that happening any time soon.
Let me add:
3) Any ad-hoc code added to Mozilla products (e.g. to apply some new
checking method for WoSign certificates) will not magically appear
in other code at the same time, if ever.
4) Contrary to what OCSP-stapling fans claim, it is not a panacea, and
is notably missing in many server side code bases.
5) OneCRL, even if it was checked by other projects, is an arbitrary
hodgepodge of CA revocations, SubCA revocations and selected end-cert
revocations, that cannot possibly match the policies of anyone except
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list