On Thursday, April 10, 2014 6:47:38 PM UTC-5, Peter Eckersley wrote: > I think one large and tricky open question here is what the standard for > > "suspected of compromise" is. > >
This is neither large nor tricky, for two reasons. Firstly, look at the exact wording: > the CA obtains reasonable evidence that the subscriber's private key... is > suspected of compromise If I suspect that a key is compromised, then the key "is suspected" of compromise. If I write down "I suspect this key is compromised" and sign by name, that is "reasonable evidence that the key is suspected of compromise". Mozilla clearly did not mean "_is_ compromised" (in fact, that case is handled in its own clause). They wrote "is suspected", which has a pretty plain and clear meaning. Now it does happen to be an absurd meaning. By the language of the policy, I can write to a CA and get Microsoft's cert revoked. And so perhaps what they meant was "is reasonably suspected of compromise". If we read the adverb "reasonably" into the policy, which is not at all clear is the right thing to do, we have to ask: what would Mozilla mean by "is _reasonably_ suspected of compromise"? And the answer immediately follows: "e.g. Debian weak keys". The Debian weak key scenario is the contemplated purpose of "is suspected of compromise". Ask yourself: when Mozilla said "Debian weak keys", did they contemplate somebody showing that an attacker specifically did break their key in particular? No. Such a thing would be virtually impossible to show, for one. What they contemplated was somebody showing that their key was vulnerable. Similarly, if a person was running a bad OpenSSL, their key was vulnerable. So what the policy contemplates in the Heartbleed scenario is a user showing that they were running a bad OpenSSL. Not that an attacker actually did compromise them. Drew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy