On Tue, March 10, 2015 11:33 am, Gervase Markham wrote: > The idea of forcibly constraining government CAs to issue for their own > TLDs is, to me, a lot more plausible. For one thing, many government CAs > don't have the same audits that non-governmental CAs do. > > The difficulty here is defining "governmental", particularly in > countries where the "N" in "NGO" is silent.
I think you touched on what I was (somewhat intentionally) skirting. Currently, the Mozilla inclusion policy allows several audit schemes - ETSI TS 101 456 v1.4.3+ - ETSI TS 102 042 v2.3.1+ - ISO 21188:2006 - WebTrust Principles for CAs 2.0+ & WebTrust SSL BRs v1.1+ - WebTrust Principles for CAs EV 1.4+ Now, ISO 21188 is a bit anachronistic. I'm surprised we still allow that, and none of the current included CAs follow that, and I don't think anyone would miss it if it was dropped. WebTrust is handled by AICPA/CPA Canada , and the list of global practitioners is at http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx . Of course, anyone can become licensed, per http://www.webtrust.org/signing-up-for-the-trust-services-program/item64422.aspx ETSI audits are a bit different. Like WebTrust, a set of criteria are developed (derived) from the CA/Browser Forum requirements. These are then enshrined into the ETSI TS guidelines. These guidelines then become incorporated into local legislative frameworks, which is also responsible for establishing the auditor qualifications. This is already a mess for those familiar with it, as some ETSI TS adopting countries have not set up qualified auditors, and thus CAs within that country need to get audits from qualified international practitioners. A better summary can be seen on https://cabforum.org/2014/10/16/ballot-135-etsi-auditor-qualifications/ I mention all of this because it's easy to suggest that the ETSI TS framework allows for governments to set up their national accreditation body to allow an NGO-but-really-GO to perform the audits. It's also true that many of the recent issues have been with ETSI TS-audited entities. However, a quick scan of https://wiki.mozilla.org/CA:IncludedCAs shows that there are plenty of government CAs (e.g. Government of Hong Kong, Government of Spain, Government of Hong Kong) are WebTrust audited, and by Big Firms (whether that increases or decreases your trust is a different matter), just as there are a large number that are ETSI TS audited. Why do I say all this? If you wanted to argue that government CAs don't have the same audits as non-government CAs - a question of ETSI vs WebTrust - one solution would be to simply disallow ETSI audits, on the basis that the government operating the CA gets to (effectively, even if not in principle) define the audit rigor. I'm sure Erwann would chime in on why that might be unwise, but it does highlight that if we really do believe that government CAs are not audited to the same level as non-governmental CAs, then shouldn't we try to reduce the audit discrepancy, rather than try to limit the issuance? Wouldn't that serve more users AND offer a more agile path for future changes? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
