On Tue, Dec 18, 2018 at 1:53 PM Tim Hollebeek <tim.holleb...@digicert.com> wrote:
> The problem is that the attackers get to choose the CA they use, so > multi-perspective validation doesn't provide any benefits unless everyone > has to do it. > > I brought it up several times at the validation working group and as a > discussion topic at the Shanghai face to face, but unfortunately there > doesn't seem to be much enthusiasm for requiring it. > I think it's great that you're focused on the end-goal, and I certainly share your perspective on the security properties. However, I think you're overlooking that the reason that there is not much enthusiasm for it is precisely because mandating something, without implementation experience, tends to lend itself to CAs having trouble deploying. That's not to suggest there's an oppositon to mandate - when push comes to shove, ultimately users' security needs to take precedence - but that it's both irresponsible and premature to propose mandating it (or forming a committee on mandating it, or a committee to discuss the requirements a mandate would have, etc) before there's been any progress on what works or doesn't work. As a result, knowing that organizations like Sectigo and Let's Encrypt are either actively working on it or assigning resources to think about it in the context of their system IS encouraging, and suggests that we do have a path forward, once we've gathered meaningful feedback. I know that some CAs feel browsers "rush in" on things, and even I feel odd pushing back against you on requiring it, but I think that if we want to have this provide any value, then in addition to, and prior to, mandating it, we need to actually write down what it means, have a think about how it works, and how to attack it. And it sounds like Sectigo and Let's Encrypt have begun that step, and I hope that any other CAs participating or following the list are doing the same and can commit to it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
