On Wed, Jan 24, 2018 at 5:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Is there a reason to make this deprecation conditional on the ballot? > > Given what we know about how the vulnerable methods are used in the wild, > > they have the same level of brokenness as TLS-SNI-01/02 and it’s not > clear > > how evaluating for vulnerabilities would fix anything. > > > This is a matter of timing. When possible, we should give the CA/Browser > Forum time to act before Mozilla does so unilaterally. Also, changing our > own policy is a process that would need to happen before we send this > communication. I have already suggested the Mozilla policy change [1]. >
Why is this? Mozilla unilaterally acted with the 10 Blessed Methods in order to mitigate security risks, after the Forum kept postponing. Google and Microsoft (and later Mozilla) unilaterally acted with the deprecation of SHA-1. The CA/Browser Forum consensus process does not produce results aligned with the Mozilla Foundation Manifesto, per-se, as it reflects a consensus process where 2/3 of CAs have agreed to do something. This naturally creates a situation of regulatory capture unaligned with the interests of or security of Mozilla users. There's two parts to the question at play here: 1) Does Mozilla believe the ballot is likely to pass the Forum, given a number of CA's stated opposition? 2) Does Mozilla believe August is an appropriate time to cease the practice, given the risks? - Similarly, is Mozilla comfortable with accepting certificates using methods with disclosed vulnerabilities between now and that time, and that CAs sufficiently understand said vulnerabilities and have devised (but seemingly not yet disclosed) appropriate mitigations or controls? > We could still choose to set that date in our own policy if the ballot were > to fail. The reasoning behind that date has been discussed on the > CA/Browser Forum lists. Are you talking the public list, or some other list, such as the Validation WG list? As a co-endorser of the Ballot, in its current form of August, it was presented that unless we agreed to endorse at August, it was not worth putting forward. One reason privately put forward as to why August was because "other user agents" would vote against it unless it was August. Is Mozilla such a User Agent? I'm not yet aware of conversation that speaks to the volume of its usage (those questions have gone unanswered) or to the challenges in migrating to an alternative method (such as .2 or .3), which are still remarkably flexible and, indeed, mitigations for the risk of .1 inevitably come back to being .2 or .3 methods. > I would summarize the argument as (1) a number of > smaller CAs rely solely on 3.2.2.4.1 and (2) those that have commented > agreed that 6 months was enough time to migrate away from it. > I've not seen any CA publicly state that 6 months was sufficient time. Was this on the Validation list? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
