Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-04 Thread Ryan Sleevi via dev-security-policy
This is trivially detectable, and doesn't need to be addressed via any CA/B Forum work. This particular threat model is already part of other browser certificate uses (e.g. HTTP Signed Exchanges) and already something (some) browsers monitor. As Peter Bowen mentions, OCSP and CRLs are just as equa

Re: How Certificates are Verified by Firefox

2019-12-04 Thread Matthew Hardeman via dev-security-policy
I had thought that the OCSP privacy concerns were among the reasons for the general decline in OCSP queries issued by browsers. In addition, part of the rationale for development and encouragement of deployment of OCSP stapling. On Wed, Dec 4, 2019 at 6:12 PM Peter Bowen wrote: > Why not use OC

Re: How Certificates are Verified by Firefox

2019-12-04 Thread Peter Bowen via dev-security-policy
Why not use OCSP? On Wed, Dec 4, 2019 at 3:52 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Not that anyone is presently doing or would do such a thing, but... > > Imagine a CA that wanted to offer up a user/browser tracking service to > their subsc

Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-04 Thread Matthew Hardeman via dev-security-policy
Not that anyone is presently doing or would do such a thing, but... Imagine a CA that wanted to offer up a user/browser tracking service to their subscriber customer. Is there any rule that prevents an issuing CA from having a "custom" (hiding an identifier for the end-entity certificate) AIA URL

Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-04 Thread Ryan Sleevi via dev-security-policy
Yes, I am one of the ones who actively disputes the notion that AIA considered harmful. I'm (plesantly) surprised that any CA would be opposed to AIA (i.e. supportive of "considered harmful", since it's inherently what gives them the flexibility to make their many design mistakes in their PKI and

RE: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-04 Thread Tim Hollebeek via dev-security-policy
Someone really should write up "AIA chasing considered harmful". It was disputed at the TLS session at IETF 105, which shows that the reasoning behind it is not as widely understood as it needs to be, even among TLS experts. I'm very appreciative of Firefox's efforts in this area. Leveraging the

Re: Proposal: Add section 5.1 to the Common CCADB Policy

2019-12-04 Thread Kathleen Wilson via dev-security-policy
All, Section 5.1 has been added to the CCADB Policy. https://www.ccadb.org/policy#51-audit-statement-content Please let me know if you see any problems with the addition. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@list