On 07/06/2017 12:55, Rob Stradling wrote:
On 06/06/17 22:26, Jakob Bohm wrote:
On 06/06/2017 22:08, Ryan Sleevi wrote:
<snip>
Signing data is heavily reliant on CA competency, and that's in
unfortunately short supply, as the economics of the CA market make it
easy to fire all the engineers, while keeping the sales team, and
outsourcing the rest.
Ryan, thankfully at least some CAs have some engineers. :-)
Which is why I am heavily focused on allowing new technology to be be
developed by competent non-CA staff (such as IETF),
Jakob, if I interpret that literally it seems you're objecting to CA
staff contributing to IETF efforts. If so, may I advise you to beware
of TLS Feature (aka Must Staple), CAA, CT v1 (RFC6962) and especially CT
v2 (6962-bis)?
No, I was just stating that if (as suggested by Mr. Sleevi) the Mozilla
root program does not trust CA engineers to design new to-be-signed data
formats, maybe Mozilla could at least trust designs that have been
positively peer reviewed in organizations such as the IETF, the NIST
computer security/crypto groups, etc. etc.
I was in no way suggesting that CA engineers do not participate in those
efforts, giving as an example their participation in early CT
deployments together with Google engineers.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
