* Peter Eckersley: > Florian, there's something that about legal rules that is often quite > unintuitive to those of us with technical backgrounds: lawyers don't > necessarily expect them to be followed exhaustively all of the time.
And they tend to withhold compassion (or technical judgments). > At least in common law countries (.us, .uk, .ca, .au, .il, and many > more), legal rules exist most profoundly to resolve disputes between > people who cannot resolve their dispute by less formal means. Exactly, once lawyers are involved, formalities matter, and the rules are quite different compared to what we would use otherwise. > As a legal instrument, the Baseline Requirements should be > understood in the same tradition. They exist as operational > guidelines, and as a fallback mechanism if there is an unresolved > dispute with a CA. The Cloudflare Challenge is a pretty unusual > case that probably wasn't anticipated by whoever drafted the BRs and > the Comodo CPS. But if there's nobody who has a security problem > because of the Cloudflare Challenge, why on earth would the cert be > revoked? I totally disagree with that, for two reasons. The first one is that we are not merely dealing with a dispute between two contracting parties. If subscribers and CAs were free to negotiate alternative terms, the current frameworks of policy reviews and audits would be completely pointless. The second reason is the following: What you are proposing is a value judgement. But these have no place in the browser PKI. For example, a properly contained sub-CA which issues interception certificates for internal company use arguably increases security for the covered users because content passing in and out can be reviewed independently from the end points. Furthermore, many people will agree that interception certificates for targeting terrorists and other criminals would result in a net benefit as well. I think it is extremely difficult to draw the line between "good" CA policy violations and "bad" ones, so it's better not to start. Requesting certificates with the intent of leaking the private key is against the rules, so just don't do it. It is debatable whether the rules makes sense (especially the CA-initiated revocations on key compromise, as mandated by Mozilla's rules, seem problematic to me), but then the rules need changing. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
