On 31/08/16 20:43, Nick Lamb wrote: > This suggests the need for some options short of distrust which can > be deployed instead, but Mozilla does not seem to have any. If in > fact it already does, this would be a great place to say what they > are and discuss why they haven't been able to be used in recent > cases.
Have you considered what was done for CNNIC? In that case, we distrusted all certificates issued after a certain time. We used a whitelist for determining this, but it would be possible to use the notBefore date in the certificate. A CA could dodge this by backdating, but if the CA were also committed to putting all its certs in to CT, then the backdating would be noticeable. > 1. Implement "Require SCTs" for problematic CAs. Notify the CA they > are obliged to CT log all certificates, inform subscribers etc. or > their subscriber's certificates will suddenly be invalid in Firefox > from some future date. This is not currently possible in Firefox, as Firefox does not have the ability to check SCTs. We hope to have that ability soon. > 2. Create "at risk" category for problematic CAs which lasts some > finite period of time (or a period to be set in each case). Notify > the CA they are obliged to warn their subscribers of this status or > leave the Mozilla programme immediately. Publicly announce "at risk" > status and drive as PR. One issue to consider with this option would be that reputational damage is harder to quantify and control than a technical measure, which might be said to increase the risk that the action would be disproportionate. > 3. Split NSS trust store into two or more categories based on degree > of trustworthiness. Maybe present a Firefox pref to pick "secure" vs > "compatible" Non-starter, I'm afraid. We are not loading this problem on to users. > Finally, I would like to mention, though I expect it to be shot down, > a much more radical way forward. RP audits. Relying Party audits. Some issues to consider with this approach would be: * How does the money to pay for such audits flow from the CA to the auditor, and through whom? * Who chooses the auditors? * How do you make sure they remain independent when their funding is (even indirectly) from the CAs? * How do you deal with confidentiality issues? CAs have some things they legitimately wish to keep confidential. And yet such an auditor would need full access to all their infra and business processes. * Is it a problem that adding additional costs to becoming a CA discourages new and possibly innovative companies from entering the market? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
