On Thu, Nov 17, 2016 at 4:38 PM, Matt Palmer <[email protected]> wrote: >> (Note: Key pinning isn't the only advantage to being able to freely operate >> your own intermediate CA.) > > I don't see how freely operating your own intermediate CA is a pre-requisite > for key pinning, either.
If you don't have your own CA you have to choose between pinning to a CA who might collapse or change their business model such that you can't use them or pinning end-entity keys which is highly limiting. > Nor do I accept that running a TCSC in line with > the minimum standards agreed for participation in the WebPKI *must*, > absolutely and without need for further justification, be prohibitively > expensive. If you have to meet the BRs (which is currently the terms of the BRs, even for TCSC), then you must have a physically segregated set of systems just for the CA that have physical access restriction to only CA personnel. You must have at least two FIPS 140 Level 3 HSMs, a disaster recover facility, an annual penetration test, quarterly vulnerability scans, at least two people to run the CA, and pay an auditor to witness the key generation ceremony. I'm sure you can find some options to cut costs, but right now I'm sure this is tens of thousands of USD to get set up. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
