All good points. ‎I wonder if we need to start with something more basic: 
setting expectations.

Maybe we need to communicate to all participating CA's that we expect them to 
perform a security scan of all Internet-facing interfaces. That we expect each 
interface to be able to pass the OWASP Top Ten. That we expect a scan to be 
performed at least once per year.

To be sure, that's a pretty low bar but I don't know that all CA's could pass 
even that minimal benchmark today. If so, that's a big problem.


  Original Message  
From: Tom Ritter
Sent: Thursday, June 30, 2016 11:57 AM‎

On 30 June 2016 at 11:10, Peter Kurrasch <fhw...@gmail.com> wrote:
> Very interesting. This is exactly the sort of thing I'm concerned about with 
> respect to Let's Encrypt and ACME.
>
> I would think that all CA's should issue some sort of statement regarding the 
> security testing of any similar, Internet-facing API interface they might be 
> using. I would actually like to see a statement regarding any interface, 
> including browser-based, but one step at a time. Let's at least know that all 
> the other interfaces undergo regular security scans--or when a CA might start 
> doing them.
>
> Anyone proposing updates in CABF?

In theory I would support this, in practice it has no teeth. There is
no (real) accreditation for security reviews, and the accreditations
that exist do not, in practice, ensure one with the accreditation is
skilled. You can say "APIs must have a security review" or an
"adversarial security scan" or a "vulnerability scan", or "manual
penetration test", or a "red team assessment" - but the definition of
the terms and the skillsets of people performing them vary so widely
that it would not guarantee very much in practice.

I believe that the CAs who want to be a leader in this niche already
are, and the CAs who cannot afford to do so (because I assume every CA
wants to take security seriously, but is confined in practice) will
wind up meeting the requirement in a way that does not significantly
improve their security. (And various shades in between)

But I'm biased, being a security consultant and all.

-tom
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to