Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Oct 18, 2019, at 6:39 PM, Peter Bowen wrote: > > >> On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy >> wrote: > >> Paul Walsh via dev-security-policy >> writes: >> >> >I have no evidence to prove what I’m about to say, but I *suspect* that the >> >people at BSI specified “EV” over the use of other terms because of the >> >consumer-visible UI associated with EV (I might be wrong). >> >> Except that, just like your claims about Mozilla, they never did that, they >> just give a checklist of cert types, DV, OV, and EV. If there was a Mother- >> validated cert type, the list would no doubt have included MV as well. > > I think this is even easier. Kirk linked the article which links to the > actual requirements at > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf > > In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung > (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung > (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter > Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden". > > Bing Microsoft Translator says the English translation is "Certificates with > domain-based validation (domain-validated certrifikate, DV), with > organization-based validation (Organizational-Validated Certificates, OV) as > well as certificates with Extended Validation Certificates MUST be supported" > > This appears to be the only reference to EV in the requirements. Given the > discussion has been around moving the UI treatment of EV to match OV (versus > having a distinct EV-only UI treatment, I don't think there is likely to be > any impact on the BSI conformance results. [PW] *Fact* - none of us know. So let’s find out. Assuming to know what a customer / stakeholder thinks is a rookie mistake. The BSI is a major “implementation” and for that reason, I hope Mozilla offer an opinion and to learn more. it’s a great opportunity to find out what their perception is. This forum is like an unhealthy religious cult where people aren’t open to being wrong about anything. Can we try to find common ground - such as our desire to help make the web safer. - Paul > > Thanks, > Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Oct 18, 2019, at 6:31 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> I have no evidence to prove what I’m about to say, but I *suspect* that the >> people at BSI specified “EV” over the use of other terms because of the >> consumer-visible UI associated with EV (I might be wrong). > > Except that, just like your claims about Mozilla, they never did that, they > just give a checklist of cert types, DV, OV, and EV. If there was a Mother- > validated cert type, the list would no doubt have included MV as well. > > In fact if you're going to go to sheep's-entrails levels of interpretation, > they place EV last on their list, and it's phrased more as an afterthought > than the first two ("must support DV, OV, and also EV"). > > You're really grasping at straws here... [PW] Rather than comment on me, perhaps you could indulge us with your interpretation. At least I’m open to being wrong. Are you? Since it does the same thing as DV in regards to encryption, why do you think they specified EV? - Paul > > Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Paul Walsh via dev-security-policy > writes: > > >I have no evidence to prove what I’m about to say, but I *suspect* that > the > >people at BSI specified “EV” over the use of other terms because of the > >consumer-visible UI associated with EV (I might be wrong). > > Except that, just like your claims about Mozilla, they never did that, they > just give a checklist of cert types, DV, OV, and EV. If there was a > Mother- > validated cert type, the list would no doubt have included MV as well. > I think this is even easier. Kirk linked the article which links to the actual requirements at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden". Bing Microsoft Translator says the English translation is "Certificates with domain-based validation (domain-validated certrifikate, DV), with organization-based validation (Organizational-Validated Certificates, OV) as well as certificates with Extended Validation Certificates MUST be supported" This appears to be the only reference to EV in the requirements. Given the discussion has been around moving the UI treatment of EV to match OV (versus having a distinct EV-only UI treatment, I don't think there is likely to be any impact on the BSI conformance results. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
Paul Walsh via dev-security-policy writes: >I have no evidence to prove what I’m about to say, but I *suspect* that the >people at BSI specified “EV” over the use of other terms because of the >consumer-visible UI associated with EV (I might be wrong). Except that, just like your claims about Mozilla, they never did that, they just give a checklist of cert types, DV, OV, and EV. If there was a Mother- validated cert type, the list would no doubt have included MV as well. In fact if you're going to go to sheep's-entrails levels of interpretation, they place EV last on their list, and it's phrased more as an afterthought than the first two ("must support DV, OV, and also EV"). You're really grasping at straws here... Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
> On Oct 18, 2019, at 7:55 AM, scott.helme--- via dev-security-policy > wrote: > > >> I hope the Mozilla community will celebrate this honor, but will also >> reconsider its proposal to drop support for EV certificates – that would >> mean that Firefox no longer meets all BSI requirements for a secure browser. > > Hey Kirk, > > Can you link to where Mozilla (or any other browser vendor) has stated their > intention to drop support for EV certificates? Unless you're confusing the > recent/upcoming UI changes surrounding EV, I've seen no such intention from > the browsers. EV certificates will continue to work just as OV and DV > certificates will. [PW] I think everyone is right on this one. I have no evidence to prove what I’m about to say, but I *suspect* that the people at BSI specified “EV” over the use of other terms because of the consumer-visible UI associated with EV (I might be wrong). If I’m right, they might get upset with the removal of the UI. Either way, this conversation helps to demonstrate to us, how an important stakeholder is using these terms to make important decisions. It also demonstrates how we are making too many assumptions about such important matters. I think this is a great opportunity from a product perspective, to learn more about BSI’s expectations and assumptions to help all of us, with the work we’re doing on their behalf. I think it’s absolutely critical for Mozilla to reach out to BSI to find out the right answers. But I think other stakeholders should do the same. - Paul > > Kind regards, > > Scott. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
> I hope the Mozilla community will celebrate this honor, but will also > reconsider its proposal to drop support for EV certificates – that would mean > that Firefox no longer meets all BSI requirements for a secure browser. Hey Kirk, Can you link to where Mozilla (or any other browser vendor) has stated their intention to drop support for EV certificates? Unless you're confusing the recent/upcoming UI changes surrounding EV, I've seen no such intention from the browsers. EV certificates will continue to work just as OV and DV certificates will. Kind regards, Scott. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy