On Tue, Apr 21, 2020 at 01:23:49AM -0400, Ryan Sleevi wrote: > On Mon, Apr 20, 2020 at 10:04 PM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 1. Make cPSuri mandatory > > We really don’t need to be stuffing everything into subscriber > certificates, especially when it’s relevant to who the issuer is. We also > need to make sure we are optimizing for the right case - the vast majority > of certificates who, for their entire lifetime, have no need to express the > CPS URI, and would waste countless bytes (and electrons and fossil fuel) > unnecessarily.
That ship sailed so very, very long ago, though. Practically every certificate out there already provides a (far less useful) cPSuri, and many certificates are also jammed full of all sorts of other cruft, like Explicit Text. > 2. Make the cPSuri actually point to the relevant CPS > > That doesn’t really capture what a CPS is. There can be many relevant CPSes > to a single certificate, both for a single path and multiple paths. That’s > literally how audits came to be - to support the model of multiple CPSes. >From what I can see in a CSV o' Doom, a CA can only provide a single CPS link for a given intermediate. That does rather suggest that there's only one CPS for a given certificate. > The problem is that a CA's repository, or "online information provided by > > the CA", typically looks something like this: > > > > * CPS for Device PKI > > * Frambingaling CP and CPS v2.1 > > * Latest Certificate Practice Statement for Small Furry Creatures > > * Subscriber Agreement and Addendum for Something Something > > > > ... and so on. How I get from "I have a certificate that I need to > > report", > > which contains an issuer CN and not much else, to the correct document out > > of that list above, is a non-trivial problem. Having the cPSuri point *to > > the CPS* would completely solve that. > > Do you disagree? If Mozilla Policy made normative that there be some form > of binding problem reporting statement for each issuer certificate, would > that address your problem or not? Not particularly, because while problem reporting addresses are the major part of why I have gone looking for CPSes in the recent past, it is not the only reason. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
