On Monday, 27 November 2017 23:37:59 CET Ryan Sleevi wrote: > On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario <[email protected]> wrote: > > > So no, we should not assume well-meaning actors, and we should be > > > > explicit > > > > > about what the "intention" of the RFCs is, and whether they actually > > > achieve that. > > > > but we should achieve that by saying "do this", not "don't do this", > > enumerating badness doesn't work - ask firewall people if you don't > > believe > > me. > > > > Or did we add to policy that keys revoked because they may haven been > > compromised (heartbleed) can't be reused? Ever? Even by a different CA? > > You've completely misframed my proposal. I'm enumerating a specific > whitelist of what is permitted. Every other option, unless otherwise > permitted, is restricted. I'm even going to the level of proposing a > byte-for-byte comparison function such that there's not even a prosaic > whitelist - it's such that the policy is black and white and transcends > language barriers by expressing directly in the technology. > > You're enumerating a blacklist - saying that all of the flexibility of 4055 > is permitted (except for these specific combinations), but propose to > enforce neither of those through code or policy.
where did I do that? it's the second time you're putting words in my mouth, I really do not appreciate that. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
