On 30/3/2017 4:01 μμ, Peter Kurrasch via dev-security-policy wrote:
By "not new", are you referring to Google being the second(?) instance where a
company has purchased an individual root cert from another company? It's fair enough to
say that Google isn't the first but I'm not aware of any commentary or airing of opposing
viewpoints as to the suitability of this practice going forward.
Has Mozilla received any notification that other companies intend to acquire
individual roots from another CA? I wouldn't ask Mozilla to violate any
non-disclosures but surely it's possible to let the community know if we should
expect more of this? Ryan H. implied as much in a previous post but I wasn't
sure where he was coming from on that.
Also, does Mozilla have any policies (requirements?) regarding individual root
acquisition? For example, how frequently should roots be allowed to change
hands? What would Mozilla's response be if WoSign were to say that because of
the tarnishing of their own brand they are acquiring the HARICA root? What if
Vladimir Putin were to make such a purchase? Any requirements on companies
notifying the public when the acquisition takes place?
Perhaps this is putting too much of a burden on Mozilla as a somewhat protector
of the global PKI but I'm not sure who else is in a better position for that
role?
Hi Peter,
This public discussion around the Root transfer, triggered an update in
Mozilla's Root Transfer Policy
<https://wiki.mozilla.org/CA:RootTransferPolicy>. Specifically (emphasis
mine):
"No issuance whatsoever is permitted from a root certificate which has
changed ownership by being sold by one company to another (as opposed to
by acquisition of the owning company) until the receiving company has
demonstrated to Mozilla that they have all the appropriate audits,
CP/CPS documents and other systems in place. In addition, *if the
receiving company is new to the Mozilla root program, there must also be
a public discussion regarding their admittance to the root program. *"
I believe this covers the "unknown" members to the Mozilla Root program
quite well. I would also suggest that you try not to use existing
Companies/Organizations as examples (although I also find it very
tempting sometimes) because there may be misunderstandings :)
Dimitris.
Original Message
From: Gervase Markham via dev-security-policy
Sent: Thursday, March 30, 2017 1:06 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Reply To: Gervase Markham
Subject: Re: Criticism of Google Re: Google Trust Services roots
On 29/03/17 20:46, Peter Kurrasch wrote:
It's not inconsequential for Google to say: "From now on, nobody can
trust what you see in the root certificate, even if some of it
appears in the browser UI. The only way you can actually establish
trust is to do frequent, possibly complicated research." It doesn't
seem right that Google be allowed to unilaterally impose that change
on the global PKI without any discussion from the security
community.
As others in this thread have pointed out, this is not a new thing. I
wouldn't say that Google is "imposing" this need.
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
