On Fri, 13 Nov 2020 12:11:57 -0500 Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I want it to be explicit whether or not a CA is making a restrictive > set or not. That is, it should be clear if a CA is saying "We will > only accept these specific methods" or if the CA is saying "We will > accept these methods, plus any method at our discretion". I see this as essentially redundant. Any major CA which does not choose "We will accept ... any method at our discretion" under your formulation stands to be humiliated repeatedly until they revise their policies to say so as I explained previously. I guess the existence of resulting let's call it "Sleevi boilerplate" is harmless, but it seems foolish for Mozilla to demand people write boilerplate that doesn't achieve anything. > I encourage you to make use of PACER/RECAP then. I examined 7 pages of RECAP results for "Key Compromise". Most of them meant this phrase in the sense of "important settlement of differences" but some were cryptography related. Here is what I found: There were verbatim copies of RFCs 2459 and 3281 submitted as evidence to a patent case that ends up involving Acer, Microsoft and others. Another case submitted as evidence the ISRG CPS. It's a Lanham Act case roughly along lines Let's Encrypt followers will be familiar with, the plaintiff wants a certificate revoked, Let's Encrypt says they just issue certificates for DNS names, have the court take the DNS name away if that's the issue. Not relevant here. And finally there's an EFF Amicus briefing which says basically key compromise is bad, which everybody here already knew. I found no evidence that there are in fact such "secret documents" and no evidence there's a problem here that would or could be fixed by your preferred language for this Mozilla policy. If you have a _much_ more specific claim than just "Somebody has mentioned it in court at some point" then please make it. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy