On Thursday, April 6, 2017 at 3:24:53 AM UTC+1, Peter Kurrasch wrote: > I have no issue with the situations you describe below. Mozilla should act to > encourage the good behaviors that we would want a new, acquiring CA to > exhibit while prohibiting the bad--or at least limiting the damage those bad > behaviors might cause. It's in this latter category that I think the current > policy falls short. > > > Consider a situation in which I have a business called Easy Pete's Finishing > School for Nigerian Princes. As the name might suggest, the nature of my > business is to train potential scammer after potential scammer and set them > free on the Internet to conduct whatever naughty things they like. It's a > very lucrative business so when I see a root cert coming up for sale it's a > no-brainer for me to go out and purchase it. Having access to a root will > undoubtedly come in handy as I grow my business. > > > Once I take possession of the root cert's private key and related assets, > what will limit the bad actions that I intend to take? For the sake of > appearances (to look like a good-guy CA) I'll apply to join the Mozilla root > program but I'm only really going through the motions--even in a year's time > I don't really expect to be any closer to completing the necessary steps to > become an actual member. > > > And it's true that I may be prohibited from issuing certs per Mozilla policy, > but that actually is a bit of a squishy statement. For example, I'll still > need to reissue certs to the existing customers as their certs expire or if > they need rekeying. Perhaps I'll also get those clients to provide me with > their private key so I may hold it for "safe keeping". Sure, it's a violation > of the BR's but I'm not concerned with that. Besides, it will take some time > until anyone even figures out what I'm doing. > > > The other recourse in the current policy is to distrust the root cert > altogether. Even then it will take time to take full effect and who knows, > maybe I can still use the root for code signing? And then there are the > existing customers who are left holding a soon-to-be worthless cert.... > > > > > Leaving behind this land of hypotheticals, it seems to me the policy as > written is weaker than it ought to be. My own opinion is that only a member > CA should be allowed to purchase a root cert (and assets), regardless if it's > only one cert or the whole company. If that's going too far, I think details > are needed for what "regular business operations" are allowed during the > period between acquisition of the root and acceptance into the Mozilla root > program. And should there be a maximum time allowed to become such a member?
Mozilla could change it policy to say that any newly acquired roots which are not bought by existing root members should have temporary distrust block placed on the root until new program member has met all the requirements defined in the root program inclusion policy and if the root member doesn't meet the requirements within x amount of time the root will be remove permanently from the root store. I understand this option would affect the existing subscribers using that particular root but we must maintain certain level of trust in the root program. _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy