On 2017-Jun-27, 13:49 , "dev-security-policy on behalf of Gervase Markham via dev-security-policy" wrote:
On 27/06/17 10:35, Ryan Sleevi wrote:
> For example, one possible suggestion is to adopt a scheme similar to, or
> identical to, Microsoft's authroot.stl, which is PKCS#7, with attributes
> for indicating age and expiration, and the ability to extend with
> vendor-specific attributes as needed. One perspective would be to say that
> Mozilla should just use this work.
That's one option. I would prefer something which is both human and
computer-readable, as certdata.txt (just about) is.
One possibility would be to look at the Trust Anchor Management Protocol (TAMP
- RFC5934). It uses CMS, which would give you the flexibility to define usages
and signed attributes, but it might not land well in terms of human
readability, I don’t know. Ryan Hurst over at Google pointed us in that
direction and mentioned he was looking at that for his tl-create tool
(https://github.com/PeculiarVentures/tl-create), so it might be worth a look.
An open standard like that might also allay concerns over something more
proprietary like STL.
--
Jos Purvis ([email protected])
.:|:.:|:. cisco systems | Cryptographic Services
PGP: 0xFD802FEE07D19105
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
