> On Jan 24, 2018, at 15:20, Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > 2. On 19-December, significant concerns were raised about the reliability > of the domain validation methods specified in BR 3.2.2.4.1 and 3.2.2.4.5. > [3] Since then, discussions on the CA/Browser Forum Public list have > resulted in a proposed ballot to prohibit the use of these methods after > 1-August 2018. [4] If your CA uses either of these methods, please evaluate > your implementation for vulnerabilities and be prepared to discontinue > their use prior to the deadline if ballot 218 succeeds.
Is there a reason to make this deprecation conditional on the ballot? Given what we know about how the vulnerable methods are used in the wild, they have the same level of brokenness as TLS-SNI-01/02 and it’s not clear how evaluating for vulnerabilities would fix anything. August is a long time from now, and even that date would be conditional on the ballot. I strongly believe that requiring CAs to disclose their use of these methods immediately, and setting a date not more than a couple months from now where these methods and previous validations using them must not be used would be the correct choice to protect Mozilla’s users. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
