On 2017-04-11 17:20, Ryan Sleevi wrote:
On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy <
[email protected]> wrote:
Hi Ryan,
On 10/04/17 16:38, Ryan Sleevi wrote:
1) You're arguing that "the issuance of this cert didn't impose risk on
anyone but this specific customer"
a) What factors lead you to that decision?
Can you lay out for us a scenario where this issuance might impose risk
on someone else?
Sure. Consider the ecosystem risk where if every CA were to continue
issuing 1024-bit certs. This imposes a risk on the collective users of the
ecosystem, but notably Mozilla users, when accessing these sites, because
it provides a weaker security guarantee than other sites. That is, it means
the 'effective' security of the lock is gated on 1024-bit.
Similarly, if we accept that 1024-bit does no one but the subscriber any
harm, then it meaningfully prevents disabling 1024-bit support for leaf
certs, both for Mozilla and the ecosystem.
The reply indicated that it was a non-browser application. So I
understand that a browser should never see that certificate.
The question is, can that certificate be used for authenticating
something it shouldn't? And I guess that's not the case.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
