On Wed, 17 Nov 2021 15:46:41 -0700 Ben Wilson <[email protected]> wrote:
> What is the preferred method, and which other alternatives should be > allowed for unambiguously reporting / locating the certificates or > their "complete certificate data"? I would prefer https://crt.sh/?sha256= rather than q= because I think it drops a stronger hint that this is just SHA256(certificate) for the price of 5 ascii characters. I would prefer Mozilla picks exactly one required format, because our experience is that the simpler the requirement the more likely everybody obeys it correctly. The prefix https://crt.sh/?sha256= plus a SHA256 hash, it seems to me is a completely satisfactory way to do this with the following set of benefits: * No choices. One less thing to get wrong. Tools can produce exactly this one format, and consume exactly this one format, even if they don't talk to crt.sh * Ergonomic for outsiders. Which certificates are we talking about? Just follow the URL * Future proof because it has the SHA256(certificate) in it. If there's a need for something else, like SHA1 I think somebody who needs that (from a participating Certificate Authority) ought to reach out about this immediately explaining why. I don't think Mozilla should add optional ways to do things which maybe nobody needs as this incurs technical cost for no practical benefit. Nick. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211119012009.1992687e%40totoro.tlrmx.org.
