On Monday, October 10, 2016 at 11:39:19 AM UTC-7, Kathleen Wilson wrote: > I would like to remind everyone that when making decisions about what to do > about CA mis-issuance, it is expressly *not* a goal for me to mete out > punishment. Rather, my primary goal is to help keep end-users safe, based on > the information that is available.
Kathleen, Even as a module peer, this reply somewhat surprises me. While I understand the desire to avoid punitive treatment, at the same time, the entire functioning of the ecosystem is based on the rather intangible property of "trust", which we attempt to quantify through both objective policies and through the evaluations of third-parties, at the individual level, but also through the lens of economic game theory. That is, if we accept that the sole role of the program is to respond to ensure incidents are contained, then that suggests that there is zero incentive for a CA to comply with Mozilla's policies in general, because only the most serious infractions might necessitate distrusting a CA. Consider, for example, the comparison of this discussion (with respect to StartCom's misissuance) with that of CNNIC's, a CA which Mozilla moved to distrust. CNNIC, as you know, had an otherwise unblemished record, until a lapse in policies by senior management resulted in the issuance of a CA certificate to MCS Holdings. However, by the time Mozilla took action, the certificate issued to MCS Holdings was already expired - it's ability to cause damage was already constrained. If we take the view that the primary goal is to keep end users safe, then we could say at the time of expiration, that goal was met, and no further action was necessary. The one incident that CNNIC had done had been resolved (and, as CNNIC's management itself attested, was done in a time limited fashion specifically to reduce risk and ensure compatibility for Mozilla clients in a future sub-CA arrangement). Following that incident, CNNIC's management was confident they understood the issue, and its seriousness, and yet Mozilla still went ahead. Under what logic can we attribute that to? My own belief is that there is an aspect to keeping end-users safe, much like there is with respect to enforcing laws - that is, without consequence, there is no rule of law, and thus there is, purely from an economic perspective, zero incentive to abide by the rules of inclusion with Mozilla's program. It's only because the spectre of consequence looms over CAs that there is an incentive to abide by the policies - failure could result in distrust, which could result in a disruption of business. While understanding and having a remediation plan is important, we don't exactly practice a judicial system in which the guilty party proposes their sentence - again, because the economic incentives there are to take the least impactful operation. I do hope you consider your response in this light - that to take no action, as proposed, would be a strong signal to the ecosystem - both of CAs and to Mozilla's users - that any CA who callously and crassly violates Mozilla's policies can escape without (meaningful) consequence, provided that they put the right people 'in front', or provide the necessary legal structuring to avoid detection. Though it may be argued that the proposed remediation for StartCom, put forward by Gerv, is not "without consequence," on a purely economic matter, it really largely is. As seen during the discussion of the management structure, the numbers we're talking about in terms of overall profits and revenues are measured in billions of dollars, and while this might represent some cost to achieve, it allows a full recognition of profits throughout the period, and avoids any meaningful sanction or stigma. This, in turn, can be seen as the base 'cost to violate' - and many CAs, particularly those with state backing, could easily absorb such costs. I'm trying to avoid too many political parallels, but one might consider, say, the response to the global banking crisis and corruption, and whether or not the sanctions - designed to protect consumers by censuring inappropriate behaviour - meaningfully accomplish that. Likewise, it might be useful to compare such Scandavian models of proportionate impact - http://www.theatlantic.com/business/archive/2015/03/finland-home-of-the-103000-speeding-ticket/387484/ - and their effects on deterring behaviours that put others at risk. Though we should not strive to have CA's "yo-yo in", as Gerv put it - and I am a strong believer that *any* future trust *must* involve new keys - we know we have a number of failures, through a single shared organization, and I believe that to offer anything short of an equivalent action upon both those roots under the "WoSign" branding and those under the "StartCom" branding - whatever their historic operational separation - is to send a strong signal to CAs that Mozilla's enforcement is in name, but not in practice, and that the rules only apply to those who can't pay their way out of them. The last piece I'll leave you with, as you thoughtfully consider the (rather uniform) feedback to date, consider research such as http://freakonomics.com/2013/10/23/what-makes-people-do-what-they-do/ - I link to the more accessible version, rather than the scholarly citations. The encouragement of 'small' fines - which I believe is exactly what the proposal for StartCom represents - can easily encourage more of the very behaviour you're expecting to deter. It is only when the risk is truly great that any deterrence begins to be introduced - and the only meaningful consequence of bad behaviour, within the CA ecosystem, is distrust, as many are calling for. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
