On 12/04/11 14:22, Stephen Schultze wrote:
On 4/8/11 6:49 PM, Sid Stamm wrote:
- Implement subscription-based blocklisting of certs via update ping
(remove need to ship patch)
Is there a bug for this?
Not that I know of; if there isn't, we need one.
Would this permit blocklisting of CA certs or
just EE?
I believe the plan is to allow either.
Would it allow third parties to maintain and distribute such
blocklists?
Hmm. Not unless you also want to maintain blocklists for addons and
graphics drivers as well, or for your users to lose that functionality.
(I guess you could download the Mozilla one and merge in your own list.)
- CA locking functionality in HSTS or via CAA
I am not aware of a spec (yet) for HSTS to do this.
Indeed not. However, one would not be too tricky to write.
CAA (do-not-issue) is experimental track, and the draft is still pretty
rough.
DANE is standards track, and it anticipates this functionality in the
current draft section 2.3 -- cert type 2.
DANE does the same thing? I had not noticed that. What does Phil
Hallam-Baker say about the overlap?
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
