On 27/12/2018 16:24, Ryan Sleevi wrote: > On Thu, Dec 27, 2018 at 9:34 AM Jakob Bohm via dev-security-policy < > [email protected]> wrote: > >> On 26/12/2018 22:42, Peter Bowen wrote: >>> In the discussion of how to handle certain certificates that no longer >> meet >>> CA/Browser Forum baseline requirements, Wayne asked for the "Reason that >>> publicly-trusted certificates are in use" by the customers. This seems >> to >>> imply that Mozilla has an opinion that the default should not be to use >>> "publicly-trusted certificates". I've not seen this previously raised, >> so >>> I want to better understand the expectations here and what customers >> should >>> consider for their future plans. >>> >>> Is the expectation that "publicly trusted certificates" should only be >> used >>> by customers who for servers that are: >>> - meant to be accessed with a Mozilla web browser, and >>> - publicly accessible on the Internet (meaning the DNS name is publicly >>> resolvable to a public IP), and >>> - committed to complying with a 24-hour (wall time) response time >>> certificate replacement upon demand by Mozilla? >>> >>> Is the recommendation from Mozilla that customers who want to allow >> Mozilla >>> browsers to access sites but do not want to meet one or both of the other >>> two use the Firefox policies for Certificates ( >>> >> https://github.com/mozilla/policy-templates/blob/master/README.md#certificates >>> ) to add a new CA to the browser? >>> >> >> Also, is the recommendation that customers should not use publicly >> trusted certificates for servers that are meant to be accessed by the >> general public using a Mozilla web browser unless they are >> >>> - committed to complying with a 24-hour (wall time) response time >>> certificate replacement upon demand by Mozilla? >> > > Could you help me understand how that question is meaningfully different > than what Peter originally asked? > > He described three combined conditions to be met. You've described a > situation "What if you meet two, but not three". I believe that was > originally captured in his question, so what new information is being asked > about here? >
Using Firefox policies to reconfigure the browser is not a relevant alternative for genuinely public web servers in the age of HTTPS- everywhere. That's the difference from the other combinations. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
