On 11/05/2017 18:42, Ryan Sleevi wrote:
On Thu, May 11, 2017 at 11:57 AM, Alex Gaynor via dev-security-policy <
[email protected]> wrote:
Ryan,
I think you've correctly highlighted that there's a problem -- the Mozilla
CA store is "designed" to be consumed from NSS, and CA-specific
remediations are a part of that (hash algorithms, maximum certificate
lifetimes, and any number of other important technical controls).
Unfortunately, we're currently in a position where near as I can tell, most
code (except Go code :P) making HTTPS requests are using a Mozilla-derived
CA store, and OpenSSL's verifier, which only provides a subset of the
technical controls browsers implement. This is unfortunate, particular
because these clients also do not check CT, so it's entirely possible to
serve them certs which are not publicly visible. In a large sense, browsers
currently act as canaries-in-the-coalmine, protecting non-browser clients.
Like Cory, I help maintain non-browser TLS clients. To that end, I think
it'd be outstanding if as a community we could find a way to get more of
these technical controls into non-browser clients -- some of this is just
things we need to do (e.g. add hash algorithm and lifetime checking to
OpenSSL or all consumers of it),
Yes :) There's a significant amount that needs to happen in the third-party
verifiers to understand and appreciate the risk of certain behaviours ;)
other's need coordination with Mozilla's
root program, and I think Cory's proposal highlights one way of making that
happen.
Right, but these already flow into the NSS trust store - when appropriate.
I'm sure you can understand when a piece of logic is _not_ implemented in
NSS (e.g. because it's not generic beyond the case of browsers), that it
seems weird to put it in/expose it in NSS :)
To be clear: I'm not trying to suggest it's an entirely unreasonable
request, merely an explanation of the constraints around it and why the
current approach is employed that tries to balance what's right for Mozilla
users and the overall NSS using community :)
Can you please get it into your thick skull that this thread is NOT
ABOUT NSS, IT IS ABOUT ALL THE OTHER X.509 LIBRARIES that can be
configured to use a copy of the Mozilla Root store!
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
