On Thu, Jun 1, 2017 at 4:35 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 31/05/17 18:02, Matthew Hardeman wrote:
> > Perhaps some reference to technologically incorrect syntax (i.e. an
> incorrectly encoded certificate) being a mis-issuance?
> Well, if it's so badly encoded Firefox doesn't recognise it, we don't
> care too much (apart from how it speaks to incompetence). If Firefox
> does recognise it, then I'm not sure "misissuance" is the right word if
> all the data is correct.

I would encourage you to reconsider this, or perhaps I've misunderstood
your position. To the extent that Mozilla's mission includes "The
effectiveness of the Internet as a public resource depends upon
interoperability (protocols, data formats, content) ....", the
well-formedness and encoding directly affects Mozilla users (sites working
in Vendors A, B, C but not Mozilla) and the broader ecosystem (sites
Mozilla users are protected from that vendors A, B, C are not).

I think considering this in the context of "CA problematic practices" may
help make this clearer - they are all things that speak to either
incompetence or confusion (and a generous dose of Hanlon's Razor) - but
their compatibility issues presented both complexity and risk to Mozilla

So I would definitely encourage that improper application of the protocols
and data formats constitutes misissuance, as they directly affect
interoperability and indirectly affect security :)

> > How far does "those containing information which was not properly
> validated" go?  Does that leave the opportunity for someone's tortured
> construction of the rule to suggest that a certificate that everyone agrees
> is NOT mis-issued is in fact technically mis-issued?
> Certs containing data which is not properly validated, which
> nevertheless happens by chance to be correct, are still mis-issued,
> because they are BR-non-compliant. It may be hard to detect this case,
> but I think it should be in the definition. A CA has a positive duty to
> validate/revalidate all data within the timescales established.

Wholeheartedly agree.
dev-security-policy mailing list

Reply via email to