On Thu, Dec 27, 2018 at 8:34 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Dec 27, 2018 at 11:12 AM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Yes, you are consistently mischaracterizing everything I post. > > > > My question was a refinement of the original question to the one case > > where the alternative in the original question (configuring the browser > > to trust a non-default PKI) would not be meaningful. > > > > I hope you can understand my confusion, as again, you've provided a > statement, but not an actual question. > > Peter provided two, fairly simple to understand, very direct questions: > >From earlier messages, I realized that the answer to my initial question is obviously "no", because there is at least one more supported Mozilla product that uses the same trust store: Thunderbird. The second part is also faulty, because it doesn't account for certificates for public IP addresses. Fixing this is makes the question more complex: Is it the expectation of Mozilla that "publicly trusted certificates" for server authentication should only be used by customers for servers that are: a) meant be accessed by Mozilla Firefox and/or Mozilla Thunderbird - This effectively means the server is serving at least one of HTTP, FTP, WS (WebSocket), NNTP, IMAP, POP3, SMTP, IRC, or XMPP over TLS (including iCalendar, CalDAV, WCAP, RSS, and Twitter API over one of the supported protocols) b) are publicly accessible on the Internet - This mean either server is accessed via an IP address is a public IP or via a hostname is publicly resolvable to a public IP - Thunderbird does do SRV record lookups, but SRV records are just pointers to a hostname, so this does not change the above c) committed to complying with a 24-hour (wall time) response time certificate replacement upon demand by Mozilla? This is a longer question, but more accurately reflects how Mozilla uses publicly trusted certificates. Is the expectation that "publicly trusted certificates" should only be used > > by customers who for servers that are: > > - meant to be accessed with a Mozilla web browser, and > > - publicly accessible on the Internet (meaning the DNS name is publicly > > resolvable to a public IP), and > > - committed to complying with a 24-hour (wall time) response time > > certificate replacement upon demand by Mozilla? > Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
