On 18/10/16 06:00, Jakob Bohm wrote:
> Non-https TLS is not (and should not be) a separate trust bit from
> https, but sometimes the logic applicable to trust policies, BRs etc.
> will be slightly different if one doesn't ignore non-https use of TLS.
> I have encountered arguments and policies that are valid only for the
> specific case of up-to-date-web-browser https.

When such arguments occur, please do us the service of pointing them out
:-) While it is true that HTTPS is a very important focus, Mozilla
should care about at least POPS, SMTPS and IMAPS, and other protocols
too. If we are taking actions which are problematic for non-HTTPS TLS,
we should at the very least take them with full knowledge of what those
problems are.


dev-security-policy mailing list

Reply via email to