On Wed, 4 Mar 2020 16:41:09 -0700 Wayne Thayer via dev-security-policy <[email protected]> wrote:
> I'm fairly certain that there is no validity period enforcement in > Firefox. The request is > https://bugzilla.mozilla.org/show_bug.cgi?id=908125 I'm also not in a > position to commit Mozilla to technical enforcement if we adopt a > policy of 398 days. However, I believe there is still value in the > policy alone - violations are easily detected via CT logs, and making > them a misissuance under our policy then obligates the CA to file a > public incident report. I see, well that explains why I struggled to find it :) Always harder to prove a negative. There is some value in policy alone but there's also substantial independent value in writing the policy into the code. Would Mozilla accept third party work to implement something like #908125 ? I appreciate you don't work for them any more Wayne, perhaps Kathleen or somebody else who does can answer? Bad guys don't obey policy. Certificates constructed to attack Microsoft's bad implementation of elliptic curve signatures recently for example obviously needn't respect policy documents. But they *did* need to pass Chrome's technical enforcement of that policy. A certificate constructed to claim notBefore 2019-07-01 was required by Chrome to have SCTs, which of course an adversary could not obtain because their certificate only fooled MS Windows. As it happens the SCT requirement wasn't old enough to sidestep the issue - an adversary could just choose a fake notBefore prior to Chrome's cut off. But it was close to just shutting down the attack altogether. Technical enforcement also quietly benefits Subscribers. If you buy a certificate, quite legitimately, from an honest but inevitably imperfect Certificate Authority, and it turns out that certificate is a policy violation - it's better if when you install and test the certificate it doesn't work. "Hey, this product you sold me doesn't work". The CA can investigate, issue you a good certificate, apologise and if appropriate report the incident to m.d.s.policy. Whereas if we find it a month later and they have to revoke the certificate, contact the subscriber, apologise etc. that's potentially a much bigger inconvenience to that subscriber. > As usual, I'll propose the policy language and we'll discuss it on > the list. Thanks Wayne, Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
