On 26/12/2018 22:42, Peter Bowen wrote: > In the discussion of how to handle certain certificates that no longer meet > CA/Browser Forum baseline requirements, Wayne asked for the "Reason that > publicly-trusted certificates are in use" by the customers. This seems to > imply that Mozilla has an opinion that the default should not be to use > "publicly-trusted certificates". I've not seen this previously raised, so > I want to better understand the expectations here and what customers should > consider for their future plans. > > Is the expectation that "publicly trusted certificates" should only be used > by customers who for servers that are: > - meant to be accessed with a Mozilla web browser, and > - publicly accessible on the Internet (meaning the DNS name is publicly > resolvable to a public IP), and > - committed to complying with a 24-hour (wall time) response time > certificate replacement upon demand by Mozilla? > > Is the recommendation from Mozilla that customers who want to allow Mozilla > browsers to access sites but do not want to meet one or both of the other > two use the Firefox policies for Certificates ( > https://github.com/mozilla/policy-templates/blob/master/README.md#certificates > ) to add a new CA to the browser? >
Also, is the recommendation that customers should not use publicly trusted certificates for servers that are meant to be accessed by the general public using a Mozilla web browser unless they are > - committed to complying with a 24-hour (wall time) response time > certificate replacement upon demand by Mozilla? Which I have repeatedly argued is extremely onerous on a huge subset of all server operators. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
