On Tue, Apr 11, 2017 at 6:31 AM, Gervase Markham <g...@mozilla.org> wrote:

> Hi Ryan,
> On 10/04/17 17:03, Ryan Sleevi wrote:
> > 2) You stated that "browsers didn't process certificate policy extensions
> > content during path building". This fails to clarify whether you believe
> it
> > was a Baseline Requirements violation, which makes no such statements
> > regarding policy building. Further, no such browser has, except for EV,
> > made use of any policy IDs beyond path building.
> Can you clarify: are you asking if Steve believes that the BRs require
> _browsers_ to do such processing of certificate policy extensions?

No. I'm asking if Symantec, through Steve, is intending to sound like a
Scooby Doo villain <https://www.youtube.com/watch?v=hXUqwuzcGeU>, or
whether it's merely accidental that this reads as "I would have gotten away
with it, if not for you meddling browsers"

More specifically, Symantec has failed to respond as to whether or not they
agree with the facts presented and, if so, whether or not this represents a
Baseline Requirements violation, as suggested. The reply could be read as
suggesting "This was meaningfully technically controlled, it is simply that
browsers failed to enforce that."

This is problematic on multiple fronts, least of all because policy mapping
and IDs have never been a meaningful form of technical control in the Web
PKI, and so I'm hoping for further elaboration on the statement to ensure
it is it not misinterpreted.

> Or if he believes that cross-certifying into a hierarchy which relies
> upon such extensions is a BR violation?

dev-security-policy mailing list

Reply via email to