Closed Bug 1019259 Opened 10 years ago Closed 10 years ago

disable public key pinning on Seamonkey

Categories

(SeaMonkey :: Build Config, defect)

Product:
SeaMonkey
Component:
Build Config
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: mmc, Unassigned)

References

(Blocks 1 open bug)

Details

Hello,

I'm not sure if anything needs to be done for this, but we recently landed public key pinning on Firefox 32. Some of the sites that we are pinning have requested a 24-hour SLA in pushing updates in case of a regression caused by this feature.

We can manage this on Firefox but not on forks. This is a request to not enable public key pinning by keeping security.cert_pinning.enforcement_level set to 0, as it is in modules/libpref/src/init/all.js.

Thanks,
Monica
To be clear, by "keeping... as it is in...." you mean to tell us there is no change required for SeaMonkey, and in-fact should NOT make this change unless we can guarantee 24 hour SLA on updates from pinning?

Or are you asking us to update the pref ourselves, for our own code?

What does this SLA mean for terms of our users or derivative projects choosing to pin despite our default setting?

Is this a contractually enforcable SLA for MoCo/MoFo in terms of the use? (e.g. if we later decide we think we can meet this SLA, and enable it, then turns out we can't due to some other situation, what does that mean for us as a community/org)
Flags: needinfo?(mmc)
Hi Justin,

As long as Seamonkey doesn't change security.cert_pinning.enforcement_level from 0 (as it is set in modules/libpref/src/init/all.js), there's nothing to be done. Sorry for the confusing bug report, I don't know which, if any, prefs Seamonkey takes from browser/app/profile/firefox.js, where the pref is set to non-zero.

The SLA is an informal promise to the pinned site operators that we will do our best to get our pinning fixes in 24 hours. If users or derivative projects choose to pin (including Seamonkey) then MoCo/MoFo/site operators are not in a position to help with escalations in case of breakage or unexpected behavior. We recommend against pinning in derivative projects at this time. In the future, site operators can advertise their pinning support online with HPKP: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-13

This is a safer mechanism because it won't rely on ops/releng coordination for regressions.

I hope that helps,
Monica
Flags: needinfo?(mmc)
firefox.js only affects Firefox, all.js is shared across all apps.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Blocks: 1305902
You need to log in before you can comment on or make changes to this bug.