On Wed, Dec 26, 2018 at 2:42 PM Peter Bowen via dev-security-policy < [email protected]> wrote:
> In the discussion of how to handle certain certificates that no longer meet > CA/Browser Forum baseline requirements, Wayne asked for the "Reason that > publicly-trusted certificates are in use" by the customers. This seems to > imply that Mozilla has an opinion that the default should not be to use > "publicly-trusted certificates". I've not seen this previously raised, so > I want to better understand the expectations here and what customers should > consider for their future plans. > The context for the question is that at least one of the organizations having difficulty with the underscore sunset stated that they couldn't just replace the certificates - they need to ship updates to the client. If you are hard-coding certificate information into client software, it's fair to ask why you're using publicly-trusted certificates (PTCs). I believe a similar concern was discussed at length during the SHA-1 sunset in relation to payment terminals. As has been suggested, maybe it's simply a matter of cost. I suspect, however, that it is more about a lack of recognition of the responsibilities that come along with using PTCs. In the spirit of incident reporting, I think it would help to have a better understanding of the decisions that are driving the use of PTCs in these use cases. > > Is the expectation that "publicly trusted certificates" should only be used > by customers who for servers that are: > - meant to be accessed with a Mozilla web browser, and > No. - publicly accessible on the Internet (meaning the DNS name is publicly > resolvable to a public IP), and > No. - committed to complying with a 24-hour (wall time) response time > certificate replacement upon demand by Mozilla? > > Committed to comply with section 4.9.1.1 (Reasons for Revoking a Subscriber Certificate) of the BRs - yes. Is the recommendation from Mozilla that customers who want to allow Mozilla > browsers to access sites but do not want to meet one or both of the other > two use the Firefox policies for Certificates ( > > https://github.com/mozilla/policy-templates/blob/master/README.md#certificates > ) to add a new CA to the browser? > > No, that was not my intent. Rather, I am hoping for a better recognition of the commitments (per the Subscriber Agreement and CPS) and risks involved when an organization chooses to use PTCs, especially for non-browser use cases. Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
