Thank you to all of you who have thoughtfully and constructively contributed to this discussion so far. This discussion is still open, and we will continue to appreciate your input.
I believe that the latest proposal from Richard (to reject new certificates chaining to CNNIC roots) is in line with Mozilla's policies, and I will explain my reasoning below. As a reminder, in 2012 and 2013 we set up a wiki page spelling out how Mozilla should respond to incidents of certificate mis-issuance. https://wiki.mozilla.org/CA:MaintenanceAndEnforcement#Potential_Problems.2C_Prevention.2C_Response The current incident falls into this category: "Problem: CA mis-issued a small number of intermediate certificates that they can enumerate - Immediate Minimum Response: Actively distrust the intermediate certificates... - Depending on the situation, also consider distrusting the root certificate or all of the root certificates owned by that CA." Mozilla has taken an immediate minimum response by adding the intermediate certificate to OneCRL in Firefox 37, even though the cert expires soon. This continued discussion is about the second part: "Depending on the situation, also consider distrusting the root certificate or all of the root certificates owned by that CA." Additionally Mozilla's CA Certificate Enforcement Policy says: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ "2. Mozilla may, at its sole discretion, disable (partially or fully) or remove a certificate at any time and for any reason. Mozilla will disable or remove a certificate if the CA demonstrates ongoing or *egregious* practices that do not maintain the level of service that was established in the Inclusion Section of the Mozilla CA Certificate Policy or that do not comply with the requirements of the Maintenance Section of the Mozilla CA Certificate Policy. I believe this incident may be considered egregious, and is different from previous incidents for the following two reasons: 1) Mozilla's expectations regarding externally-operated subordinate CAs chaining up to roots in Mozilla's program have been increasingly clarified since 2012, and CNNIC has acknowledged each of Mozilla's communications regarding externally-operated subordinate CAs, starting in 2012. https://wiki.mozilla.org/CA:Communications 2) As Richard previously stated: "... the most troubling aspect of this is that CNNIC violated their own CPS -- the covenant they make with the community for how they will behave, and the basis for all the decisions that we make about whether to trust them." Also, as per https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14 and https://bugzilla.mozilla.org/show_bug.cgi?id=607208#c22 the decision to include the CNNIC root certificates was partly based on evaluation of the CA hierarchy. There was no indication in their CP/CPS or during the inclusion process that CNNIC would issue externally-operated intermediate certificates. Therefore, I believe we should move forward with filling in the details for the plan that Richard described. I will greatly appreciate your continued thoughtful and constructive feedback on this. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
