On 27/12/2018 17:28, Ryan Sleevi wrote:
On Thu, Dec 27, 2018 at 11:12 AM Jakob Bohm via dev-security-policy <
[email protected]> wrote:
Yes, you are consistently mischaracterizing everything I post.
My question was a refinement of the original question to the one case
where the alternative in the original question (configuring the browser
to trust a non-default PKI) would not be meaningful.
I hope you can understand my confusion, as again, you've provided a
statement, but not an actual question.
Peter provided two, fairly simple to understand, very direct questions:
Is the expectation that "publicly trusted certificates" should only be used
by customers who for servers that are:
- meant to be accessed with a Mozilla web browser, and
- publicly accessible on the Internet (meaning the DNS name is publicly
resolvable to a public IP), and
- committed to complying with a 24-hour (wall time) response time
certificate replacement upon demand by Mozilla?
Is the recommendation from Mozilla that customers who want to allow Mozilla
browsers to access sites but do not want to meet one or both of the other
two use the Firefox policies for Certificates (
https://github.com/mozilla/policy-templates/blob/master/README.md#certificates
) to add a new CA to the browser?
You presented a question as:
Is the recommendation that customers should not use publicly
trusted certificates for servers that are meant to be accessed by the
general public using a Mozilla web browser unless they are committed
to complying with a 24-hour (wall time) response time certificate
replacement upon demand by Mozilla?
It would appear that it is merely a rephrasing of that first question, but
as a negative question ("should not") rather than Peter's original positive
question ("should only").
Could you help me understand what's different about Peter's first question
and your question? It's very clear you have opinions as to the second
question, but it still seems as if you're merely asking the first question,
but in a way that provides less information. If there's something new or
unique to the question, rephrasing your question may make it clearer. Doing
so without expressing a particular opinion on what the answer should be
seems like an even more positive step forward.
Once again, the question was about the special case of the combination
of Peter's two closely related questions for the case where the option
suggested in the second question (using Firefox policies for
Certificates) makes no sense, as the "customer" does not control the
browser.
But you seem insistent on mischaracterizing an unpleasant question in
every way possible.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
