On Wednesday, September 21, 2016 at 12:05:49 PM UTC-7, Peter Kurrasch wrote:
> I have a hard time seeing how any sort of white list solution will actually 
> mitigate any of the bad behavior exhibited by WoSign. 

This doesn't help understand where your disconnect is, or how we might educate 
and inform you about different perspectives.

> So the problem I have with a white list is the implication that while we 
> don't trust the CA to issue new certs, we do have trust in the continued 
> operation of other parts of the CA. 

Once a certificate is issued, it's issued. What continued operations, beyond 
revocation (which doesn't work in the Web PKI) do you see as necessary?
> I'm just having a hard time seeing how there is anything left to trust when 
> it comes to WoSign. Maybe the best outcome would be a finding of 
> irreconcilable differences and for us to go our separate ways? Maybe we just 
> want different things in a global PKI system?

It's unclear who you're referring to here. I think, judging by some of your 
replies, that some of the experts in this space don't agree with you or your 
conclusions, but this may simply be a teachable opportunity.

To try to explain to you:
A wholesale distrust is, in effect, a statement that we believe no certificate, 
past, present, or future, is trustworthy. This is a very strong statement, and 
it's very hard to make, even under significant evidence, but is sometimes 
necessary (for example, when an unknown number of unconstrained sub-CAs have 
been issued).

However, if you're willing to believe that no unconstrained sub-CAs exist, and 
if you're willing to accept that most, but not all, certificates were issued 
according to the policies and community expectations, then such a statement is 
overly harsh. By overly harsh, I'm not considering the reception of the CA, I'm 
considering the message that browser vendors would be sending to users and to 
sites that have chosen to use such certificates.

For example, do you believe that if a user tries to access 
https://www.wosign.com, they should be shown an interstitial? Do you believe 
that is a helpful message to end users? Do we believe that the specific 
certificate is untrustworthy?

In most CA cases, when evidence of malfeasance is discovered, it's not 100% of 
the certificates. It might be .001%. But that .001% is significant enough to be 
uncomfortable to trust NEW certificates, because that margin is too high. 
Further, once disclosed via CT, we can reasonably be confident that EXISTING 
certificates conform to appropriate policies.

The only continuinity of business that a CA would potentially need to provide, 
in the event of a distrusting, is OCSP and CRLs. And we know those simply don't 
work at the WebPKI, which is why CRLSets and OneCRL and Certificate Distrust 
List exists. So I have trouble with your suggestion that a whitelist is an 
indication of continued trust in a CA, other than it's a recognition of the 
fact: "Most" of the certs are probably OK, but "new" certs have too high a 
margin of risk to continue to be accepted.
dev-security-policy mailing list

Reply via email to