On 2017-04-12 13:42, braddockmews...@gmail.com wrote:
If browsers did policy validation would it have been a problem? I
can't answer that.
So I guess that would be something like require one of the CAB policy IDs for which validation that happened? (126.96.36.199.2.1 for DV, 188.8.131.52.2.2 for OV, 184.108.40.206.2.3 for IV, 220.127.116.11.1 for EV). And that if none of those are present it should reject the certificate?
I would clearly be in favor of those policy IDs to be always present. But there were no such policy IDs in the past, and they're still not required.
The FPKI now seems to use Certificate Policies, not Policy Constraints. If they used Policy Constraints, and the browsers enforced the above policies, it would be obvious that the FPKI couldn't issue certificates that could be used to authenticate servers. I think we need both to prevent it.
You indicate that they started using FPKI for server authentication. I doubt that they have been audited to follow the BR requirements, so I think it would be good that we reject them.
Kurt _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy