On 1/29/14 11:22 AM, Ryan Sleevi wrote:
On Wed, January 29, 2014 10:50 am, Jeremy Rowley wrote:
5) Having only one root with multiple sub CAs emphasizes the "Too Big To
Fail" issue. At DigiCert, and in the spirit of the Microsoft root policy,
we try to segregate the type of certificates issued off a single
intermediate. Relying on a single root consolidates everyone into a single
point of shared trust, forcing users to trust every kind of DigiCert
certificate. Having multiple roots allows a root operator to trust only
part of what DigiCert issues.
This is, I think, the most compelling argument.
I strongly believe that users are better protected NOT by adding a meta-CA
(as Brian Smith proposed), but instead by having *fewer* "root" CAs and
more intermediates-that-are-roots, segregated by policy flags.
That is, a single root for issuing SSL/TLS certificates. If a CA also
wishes to do things like code-signing or e-mail signing, they create
additional roots for these. This strengthens the Mozilla Root CA policy by
allowing Mozilla to say that "All certificates issued at-or-below this
root must conform". The current Baseline Requirements, which are
referenced by Mozilla, are ambiguous in this respect, because they apply
to certificates which are "intended" to be used for SSL/TLS - thus
creating a loophole for certificates that aren't "intended" to be used,
but which are technically capable, being exempted from the BRs.
I do think DigiCert should *not* be "punished" (eg: by waiting for the
features Brian Smith has suggested but which are not implemented yet),
especially when part of the complexity is due to them offering ECC certs,
which offers better performance for everyone.
I am in favor of improving things and having fewer root certificates to
manage, but I think there first needs to be a separate discussion about
what root/intermediate cert inclusion model we want to move to, how to
do that, and the corresponding code changes (or tools) need to be
implemented. Then I would be happy to move all new inclusions to the new
model, and work with CAs to migrate existing root/intermediate certs as
appropriate.
The discussion to figure out a new way forward needs to happen
separately, so that it doesn't get lost in a discussion about a
particular root renewal/inclusion request.
Brian, please post your proposal in a separate discussion -- and maybe
it actually belongs in m.d.security or m.d.t.crypto?
All, In this particular discussion thread, please review and comment
about DigiCert's root renewal/inclusion request in regards to if it
meets Mozilla's current policy and practices, and if you have other
related recommendations for this CA.
Also, note that Microsoft recently included these roots:
http://social.technet.microsoft.com/wiki/contents/articles/20897.windows-and-windows-phone-8-ssl-root-certificate-program-november-2013.aspx
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
