On Tue, Apr 11, 2017 at 6:37 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > On 11/04/17 04:45, Eric Mill wrote: > > > But I think it's important to note that this relationship was not widely > > understood or publicly discussed as part of the Mozilla trusted root > > program, between 2009 and 2016. > > And you think that's bad? > An (interactive) picture might help illustrate what I'm pointing to. This is the Federal PKI: https://fpki-graph.fpki-lab.gov There's something like 200 civilian, military, and non-government CAs in there, connected through a huge number of bridges and cross-signatures. Despite the name, the Federal PKI contains more than the federal government -- within that graph are signatures bridging over to sector-wide PKIs such as SAFE-BioPharma. In the center is the Federal Common Policy CA, which ultimately everything can be chained up to. For the time that the cross-signature was active (the one in question is here - https://crt.sh/?id=12638543 and was ~8 months beginning in December 2015), all 200 of those CAs were capable of issuing a certificate that would be technically trusted by users of the Mozilla root store. I haven't looked to see whether there were other cross-signatures issued by VeriSign or Symantec since the cross-signer's parent CA was admitted to the Mozilla root store around 2009. All that's been said here by Symantec on this issue's impact is that the discussion around this made it clear that browsers don't respect certificate policy identifiers (OIDs). Those policy identifiers would have been, as I understand it, the sole technical constraint capable of protecting users of the Mozilla trust store from mis-issuance from any of these 200 CAs, had clients respected them. I'll leave it to others to opine on the severity of the mistake and the quality of the response, but I do want to at least properly communicate the impact. -- Eric > There were several discussions about including the FPKI roots during > this time, and about the problems that might cause. I might expect > someone reading those, who knew that we already trusted bits (or all?) > of the FPKI due to their actions, to say something... > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 <(617)%20314-0966> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy