On Monday, 10 October 2016 12:49:37 UTC+1, Gervase Markham wrote: > I think that's an over-generalisation of my position :-) Whether sacking > people is an acceptable response depends on what has happened.
I'm very doubtful that it is ever really relevant to the relying parties or trust stores. It might make good business sense to terminate somebody, but the responsibility for the problem always lies with the organisation, never an individual no matter how senior. We need to be quite firm in making that point. The failure is an organisational failure, even if one identifiable individual is the only one to actively do bad things, the organisation failed to detect those things in a timely fashion and tell us about them. Firing people, whether it's a security guard or a CEO doesn't fix that. The consequences have to be visited on the organisation, and it must not be possible to "dodge" those consequences through a paperwork exercise such as "firing" an employee. > I think that yoyoing CAs in and out of trustedness is disruptive to > customers. Killing a CA entirely is actually less disruptive. Removing > CAs from trustedness for minor or even medium-severity non-compliance > issues, pending compliance, is not a good strategy IMO. Agreed that Yoyoing _keys_ is annoying for the subscribers and the relying parties, without necessarily achieving very much, although I don't think we should entirely rule it out. Don't agree about the CA itself. I don't see why we'd want to trust the existing StartCom keys. Why wouldn't someone who directly lies to Mozilla's investigators and to their own employer also lie about the integrity of the keys? No HSM is impervious to attack by its custodians, the protection in an HSM is against inadvertent or momentary compromise, not a malicious actor with total physical control over a prolonged period of time. Would anybody here _seriously_ be shocked to read next month that a black hat group is auctioning some StartCom private keys ? On the evidence available we have to assume that the keys underpinning both WoSign and StartCom may turn out to be compromised, which surely means if StartCom is to be resuscitated so that QiHoo 360 can recover some of their investment, they need to generate new roots and start over mathematically as well as from a manpower point of view. > I think that assessing the trustworthiness of people is an unavoidable > part of assessing the trustworthiness of companies (who are made up of > people). If Richard Wang started a new CA, when it applied to the > Mozilla root program would it make a difference in the process that it > was him running it? I think it would. I doubt Mozilla's ability to reliably identify whether Richard Wang exercises effective control over any particular CA. It has been our practice from the outset to allow sovereign entities, private companies and public companies to operate Certificate Authorities, from almost anywhere in the world. Sovereign entities are opaque basically everywhere, the effective control over such a "government" CA may lay with a civil servant, an appointed official, or an elected official, and I don't believe Mozilla asks for or receives any notification if that changes, as it must have done many times for the CAs in the trust store today. Private companies are also opaque. In most of the world they're not obliged to disclose who really exercises control. In places where they notionally are obliged to disclose this, many either lie or obfuscate their answers, for example citing control as lying with another private company, based somewhere that has no disclosure rules or with an opaque legal trust operated by lawyers who'll just tell you client confidentiality stands in the way of answering. Public companies are at least obliged in most of the world to tell you of their largest shareholders and senior executives. Nevertheless it remains possible for practical day-to-day control to lie with someone who isn't listed on paper, so long as large shareholders either don't suspect this or are complicit. It would be great if Mozilla _did_ know the key individuals behind every CA (as opposed to having contact details which may turn out to be for a "mere employee"). But I suspect that getting to there from here would be difficult. In particular I suspect that because Mozilla is physically a English-language biased US-based outfit any mechanism by which Mozilla tried to obtain confidence in the identities of the people behind each CA would be very open to the charge of trying to shut out non-English non-US groups from a global Internet. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
