On Thu, 5 Mar 2020 14:15:17 +0000 Nick Lamb via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> There is some value in policy alone but there's also substantial > independent value in writing the policy into the code. Would Mozilla > accept third party work to implement something like #908125 ? I > appreciate you don't work for them any more Wayne, perhaps Kathleen or > somebody else who does can answer? I never saw any reply on this topic and so my assumption is that at best such a patch would be in the big pile of volunteer stuff maybe nobody has time to look at. After some further thought this gives me a real concern that maybe is an error (in which case I'm sure somebody here will be delighted to correct me) As I understand it Apple's intent is that Safari will not accept a certificate with a lifetime of (let's say for this example) 500 days, but this would not necessarily become a violation of their root store policy. Such a certificate could exist and (absent decisions here) it would work in Firefox but not Safari. More practically, it would work in some TLS-based internal system that trusts public roots, but not in Safari, which would be just fine for a backend system that was never actually intended to be used by web browsers. This would make it like SCT enforcement in Safari or Chrome. Google doesn't propose to distrust a CA which issues certificates without logging them - it just ensures the Chrome browser doesn't trust those certificates until it is shown proof they were logged, which might be hours or weeks later. As I understand it Google's own CA deliberately does this in fact. If that understanding is correct (again the poor communication from Apple which I already disapproved of doesn't help me) then in having an unenforced root store policy about this, rather than enforcement but no policy change, Mozilla would be standing alone. That has much larger implications, so if that's what we're talking about here we need to be clear about it. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
