All, What I am about to say represents my own personal beliefs and are not necessarily the same beliefs of my employer, Google, or Let’s Encrypt where I am an advisor.
I have been involved in the WebPKI since its inception. In WebPKI, a Certificate Authority has a conflicted role, it is responsible for acting in the best interest of the Relying Party but its existence is dependent on that of the Subscriber. This is true of all CAs, even Let’s Encrypt, where its existence is dependent on donations from large organizations who, in many cases, utilize their service. This model only works when there is a consequence for CA’s that violate the interests of the Relying Party. That begs the question of what are the interests of a Relying Party in the context of the WebPKI? I would say the relying party expects CAs: - To understand the deeply technical nature of X.509 and the web, - To deploy products and services that securely support secure communications on the web, - To operate their services in such a way that they are verifiable by third-parties, - To act in a trustworthy and transparent way. As I look at what has happened in this particular case, despite recent gestures, it is clear to me that WoSign has not lived up to these expectations. While I have a ton of admiration for Eddy and the way that the independent StartCom operated, StartCom is a corporate entity and not an individual. Moreover, given that for the last year it has had numerous technical lapses, and its leadership misrepresented the material facts about its operation, it also has largely failed on these points. This begs the question of what should be done in this case. I believe the answer there is buried in the role of the browsers in the WebPKI ecosystem where they represent the interests of relying parties. To this end, when I managed the Microsoft Root Program I did my best to guide my decisions by the following tenets: - I fight for the relying party, - I fight for the WebPKI ecosystem, - I must be predictable and fair, - I must encourage the ecosystem to evolve to meet changing needs, - I must comply with all legal and regulatory obligations. In this case, it seems to me that WoSign’s purchase of StartCom, short of the lies and subterfuge (which I do not mean to trivialize), is not materially different than Symantec’s ownership of Thawte, RapidSSL, or GeoTrust brands. In past actions, against Symantec, there were no carve outs for the different brands. As such, it would seem that to do so for WoSign and StartCom would not be an action consistent with the principals I tried to live by as a manager of a root program. That then takes us to the structural changes proposed by Qihoo. I should say that I personally have faith in Inigo as a leader who would do the right thing for the WebPKI and believe that overall these changes seem like the right gestures to be making. They do not, however, negate the facts in question. It seems to me based on this thread that Mozilla, or more specifically Gerv, is inclined to treat StartCom differently, I can assume this is because: - StartCom prior to its acquisition had a positive brand reputation, - He agrees that the new leadership would likely act in the right interest of the WebPKI. The problem is that this sets a dangerous precedent. Let’s assume a similar situation happens in the future with another CA who owns multiple brands. Would you ignore the violations of the rules and allow them to carve off one brand because you liked who they would let manage it if you do? I would hope the answer is no. I would say that holding them equally accountable is the right thing to do, since for the time in question, they were equivalently managed and operated. To offer much more than that would not be fair or in the best interest of the WebPKI ecosystem. Ryan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
