On Mon, 6 Jul 2020 at 19:30, Ryan Sleevi <[email protected]> wrote: > > On Mon, Jul 6, 2020 at 1:22 PM Matthias van de Meent via dev-security-policy > <[email protected]> wrote: >> >> ... >> >> 1.) What was the reasoning behind not (also / specifically) allowing >> an HTTPS url? Was there specific reasoning reasoning? > > > Nope, no specific reasoning. The ambiguity here is whether it's resources > dereferenced via an HTTP protocol (which would include HTTP over TLS) or > whether it's HTTP schemed resources (which would not). The meaningful > distinction was to exclude other forms of scheme/protocols, such as LDAP > (inc. LDAPS) and FTP (inc. FTPS) > >> >> 2.) Should this be fixed, or should the batch of certificates with an >> http `certificatePolicies:policyQualifiers:qualifier:cPSuri` be >> revoked as misissued? > > > Yeah, this is something that was already flagged as part of the validation WG > work to clean up certificate profiles, in that there's other forms of > ambiguity here. For example, if one includes an HTTP(S) URL, can they also > include one of the undesirable schemes? How many CPS URIs can they include? > etc. >
Great, thanks for the reply, and thanks for the concise information. Then I shall await such update to the BR. -Matthias _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
