On 2017-Jun-27, 13:49 , "dev-security-policy on behalf of Gervase Markham via dev-security-policy" wrote:
On 27/06/17 10:35, Ryan Sleevi wrote: > For example, one possible suggestion is to adopt a scheme similar to, or > identical to, Microsoft's authroot.stl, which is PKCS#7, with attributes > for indicating age and expiration, and the ability to extend with > vendor-specific attributes as needed. One perspective would be to say that > Mozilla should just use this work. That's one option. I would prefer something which is both human and computer-readable, as certdata.txt (just about) is. One possibility would be to look at the Trust Anchor Management Protocol (TAMP - RFC5934). It uses CMS, which would give you the flexibility to define usages and signed attributes, but it might not land well in terms of human readability, I don’t know. Ryan Hurst over at Google pointed us in that direction and mentioned he was looking at that for his tl-create tool (https://github.com/PeculiarVentures/tl-create), so it might be worth a look. An open standard like that might also allay concerns over something more proprietary like STL. -- Jos Purvis (jopur...@cisco.com) .:|:.:|:. cisco systems | Cryptographic Services PGP: 0xFD802FEE07D19105
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy