> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Matt Palmer via dev-security-policy > Sent: Sonntag, 5. Juli 2020 06:36 > > On Sat, Jul 04, 2020 at 07:42:12PM -0700, Peter Bowen wrote: > > On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > > > On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via > > > > dev-security-policy wrote: > > > > > > > > In the CIA triad Availability is as important as Confidentiality. > > > > Has anyone done a threat model and a serious risk analysis to > > > > determine what a reasonable risk mitigation strategy is? > > > > > > Did you do a threat model and a serious risk analysis before you > > > chose to use the WebPKI in your application? > > > > I think it is important to keep in mind that many of the CA > > certificates that were identified are constrained to not issue TLS > > certificates. The certificates they issue are explicitly excluded > > from the Mozilla CA program requirements. > > Yes, I'm aware of that. > > > I don't think it is reasonable to assert that everyone impacted by > > this should have been aware of the possibly of revocation > > At the limits, I agree with you. However, to whatever degree that there is > complaining to be done, it should be directed at the CA(s) > which sold a product that, it is now clear, was not fit for whatever purpose > it has been put to, and not at Mozilla.
Let me quote from the NSS website of Mozilla (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview): If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your security features. NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat, Google, and other companies in a variety of products, including the following: * Mozilla products, including Firefox, Thunderbird, SeaMonkey, and Firefox OS. * [and a long list of additional reference applications] Probably it would be good if someone from Mozilla team steps in here, but S/MIME _is_ an advertised use-case for NSS. And the Mozilla website says nowhere, that the demands and rules of WebPKI / CA/B-Forum overrule all other demands. It is simply not to be expected by a consumer of S/MIME certificates that they become invalid within 7 days just because the BRGs for TLS certificates are requiring it. This feels close to intrusive behavior of the WebPKI community. With best regards, Rufus Buschart Siemens AG Siemens Operations Information Technology Value Center Core Services SOP IT IN COR Freyeslebenstr. 1 91058 Erlangen, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy