On Thu, Dec 27, 2018 at 9:34 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 26/12/2018 22:42, Peter Bowen wrote: > > In the discussion of how to handle certain certificates that no longer > meet > > CA/Browser Forum baseline requirements, Wayne asked for the "Reason that > > publicly-trusted certificates are in use" by the customers. This seems > to > > imply that Mozilla has an opinion that the default should not be to use > > "publicly-trusted certificates". I've not seen this previously raised, > so > > I want to better understand the expectations here and what customers > should > > consider for their future plans. > > > > Is the expectation that "publicly trusted certificates" should only be > used > > by customers who for servers that are: > > - meant to be accessed with a Mozilla web browser, and > > - publicly accessible on the Internet (meaning the DNS name is publicly > > resolvable to a public IP), and > > - committed to complying with a 24-hour (wall time) response time > > certificate replacement upon demand by Mozilla? > > > > Is the recommendation from Mozilla that customers who want to allow > Mozilla > > browsers to access sites but do not want to meet one or both of the other > > two use the Firefox policies for Certificates ( > > > https://github.com/mozilla/policy-templates/blob/master/README.md#certificates > > ) to add a new CA to the browser? > > > > Also, is the recommendation that customers should not use publicly > trusted certificates for servers that are meant to be accessed by the > general public using a Mozilla web browser unless they are > > > - committed to complying with a 24-hour (wall time) response time > > certificate replacement upon demand by Mozilla? > Could you help me understand how that question is meaningfully different than what Peter originally asked? He described three combined conditions to be met. You've described a situation "What if you meet two, but not three". I believe that was originally captured in his question, so what new information is being asked about here? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy