Yes, I am arguing for 'require' so I'll restate: "Everybody is required to constrain in order to make the Internet safer for everyone. CA's may change their constraints at a later date, but you have to tell us."
As I stated previously, the security benefit is not to the CA itself but to everyone else on the Internet--regular, everyday users. When a CA system becomes compromised, the bad actor will say: "Cool! Now, how much damage can I inflict?" We should have a way to impose boundaries that intend to limit that damage. My whole viewpoint regarding name constraints is that it is a solvable problem. It's not a easy problem to solve, but it can be done. This whole debate, though, is starting to get tedious because while I can make any number of suggestions (many of which would be controversial!) what's missing here is how much appetite Mozilla has to change the status quo. So, how much work does Mozilla feel like doing? Original Message From: Gervase Markham Sent: Thursday, March 26, 2015 5:07 AM On 26/03/15 03:59, Peter Kurrasch wrote: > Perhaps I chose my words poorly because my intention actually was to > avoid having to pass judgment at all. Instead of saying to a CA "we > don't trust you enough, please constrain" I was hoping for something > along the lines of "everybody is asked to constrain to make the > internet safer for everyone". But you say "asked" - and that's the entire difference between my position and yours. I am saying "'ask' is OK; 'require' is not". You are arguing for 'require'. > In terms of who gets to issue for .com, I wouldn't impose a limit of > who can do it, just that you have to tell us you're doing it. If a > intermediate were to be constrained to .com, .net, and .org and > nothing else, I would be fine with that. That would actually be quite > an accomplishment if we could get every CA to just agree to that > much. It depends on the configuration of the CA's systems, but I'm not convinced that a CA significantly improves its security posture by having 10 intermediates which split the entire DNS space up into 10 pieces, rather than one. Those certs may well all be tied to the same issuing system. Also, it means they would have to cut a new intermediate every month, at the moment, if they wanted to serve the new gTLD market. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
