On 9/10/16, Peter Bowen <[email protected]> wrote: > On Sat, Sep 10, 2016 at 9:14 AM, Lee <[email protected]> wrote: >> On 9/10/16, Gervase Markham <[email protected]> wrote: >>> On 09/09/16 11:53, Jakob Bohm wrote: >> >> Does Mozilla feel that using 'clear text' protocols to validate >> domains is adequate security? >> https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/ >>> Authorized Port: One of the following ports: 80 (http), 443 (http), 115 >>> (sftp), 25 (smtp), 22 (ssh). > > This is basically a catch-22 for initial issuance. If you allow > validation via connection to a host operating that the requested FQDN, > then it will almost surely not be using a trusted public certificate > for the first connection.
Right - I figured that out about 30 seconds after reading an email about allowing verification on ports 80 and 443. But you only need to get the initial certificate one time - after that you should be able to renew using port 443 and I didn't see anything in the requirements about checking via an encrypted connection first. Did I miss something or is getting a renewal cert over port 80 allowed? > Using ssh or accepting a self-signed > certificate does not appear to address any critical part of the threat > model. Is the threat model documented somewhere? Admittedly, I'm doing cargo-cult security - "clear text protocols Are Bad." But is there really no better way to verify a domain? Is there really a need to allow clear-text protocols after an end-user gets their first certificate? Why no mention of DNSSEC in the BR? I just started reading about certificate transparency so I might be misunderstanding it, but if a CA is going to be handing out certs automatically using clear-text protocols, why doesn't Mozilla make CT a requirement? Relying solely on audits is clearly a failure, so how about trying continuous monitoring? & make failure to log to CT servers all by itself enough justification to be removed from the moz trust store. >> How bad does an auditor have to be before Mozilla will no longer >> accept them as "a trusted auditor for the Mozilla root program"? >> https://wiki.mozilla.org/CA:WoSign_Issues#Issue_J:_Various_BR_Violations_.28Apr_2015.29 >>> Google noted that many of these issues should have been caught by a >>> competent auditor. >>> WoSign's auditors at the time were Ernst and Young (Hong Kong). >> >> Will Mozilla accept CA audits done by Ernst and Young in the near future? >> >> Does Mozilla plan on giving any extra attention to CAs whose last >> audit was done by Ernst and Young? > > EY, like BDO, Deloitte, KPMG, and PwC, are not single firms. They are > "networks" of firms which usually carry out their audit/attest > services independently and are independently owned and operated. So > an opinion from Ernst & Young Bedrijfsrevisoren BCVBA (Belgium) is > likely written by a team independent from the team that wrote an > opinion from Ernst & Young P/S (Demark) which is independent from the > team that wrote an opinion from EY 安永 (Hong Kong). So Honest Achmed has his request for his CA to be added to the mozilla root store denied & he comes up with a new business plan - pay the franchise fee, get a brand name and go into business auditing CAs. As long as the CAs he audits don't screw up he gets to rake in the money? And when he does screw up the franchiser gets a free pass even though they didn't make sure Honest Achmed was qualified to audit a CA? > That being said, I > suspect that EY Global wants to protect its brand, so I would hope > they review any reports from any member firm that appear to be > lacking. I would hope the brand owner would protect their brand by insisting that the franchises' were actually competent. In this case Google says they weren't, so why isn't Mozilla asking EY Global for an action plan on how they're going to fix their deficiencies? I'm not seeing why > EY, like BDO, Deloitte, KPMG, and PwC, are not single firms. makes any difference. The local offices are using a global brand name & if one local office screws up it tarnishes the brand name, not just that one local office. I'm not seeing why Mozilla should think any EY office is competent to audit a CA now. Regards, Lee _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
