Hi Dana, One thing I don't see mentioned here is certificate transparency, which, while not a 1:1 replacement, nevertheless strongly contributes to the same goal of control over issuance.
Is there a plan to implement SCT verification in Firefox, similar to what Chrome and Apple have shipped? In either event, it sounds like the plan to remove HPKP is not contingent on the answer on CT, correct? Alex On Sunday, November 17, 2019 at 9:16:56 PM UTC-5, Dana Keeler wrote: > The breadth of the web public key infrastructure (PKI) is both an asset > and a risk. Websites have a wide range of certificate authorities (CAs) > to choose from to obtain certificates for their domains. As a > consequence, attackers also have a wide range of potential targets to > try to exploit to get a mis-issued certificate. The HTTP Public Key > Pinning (HPKP) [0] header was intended to allow individual sites to > restrict the web PKI to a subset as it applies to their domains, thus > decreasing their exposure to compromised CAs. > Unfortunately, HPKP has seen little adoption, largely because it has > proved to be too dangerous to use. There are a number of scenarios that > can render websites inoperable, even if they themselves don't use the > header. Chrome removed support for it in version 72 in January of this > year [1]. According to our compatibility information, Opera, Android > webview, and Samsung Internet are the only other implementations that > support the header [2]. At this point, it represents too much of a risk > to continue to enable in Firefox. > A related mechanism, DNS Certification Authority Authorization (CAA) > [3], also allows websites to restrict which CAs can issue certificates > for their domains. This has seen much larger adoption and does not > suffer from the drawbacks of HPKP. > Earlier today, bug 1412438 [4] landed in Firefox Nightly [5] to disable > HPKP via a preference. New HPKP headers will not be processed, and > previously-cached HPKP information will not be consulted. > The static list of key pinning information that ships with Firefox is > still enabled, and these pins will still be enforced. > > [0] https://tools.ietf.org/html/rfc7469 > [1] https://www.chromestatus.com/feature/5903385005916160 > [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning > [3] https://tools.ietf.org/html/rfc6844 > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 > [5] Coincidentally, version 72 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
