On Tuesday, June 6, 2017 at 4:14:00 AM UTC-5, Gervase Markham wrote: > On 05/06/17 14:29, Alex Gaynor wrote: > > As I've expressed before, I find it baffling that this still happens. > > I am also disappointed. I have half a mind to keep track of how often > this happens per CA, and impose a mandatory delay of 1 month per > incident to that CA's next attempt to include a new root or get a trust > bit or EV change in our store. :-)
I've wondered for quite some time why these circumstances aren't regarded as equivalent to mis-issuance? I recognize that they likely are not mis-issuance of a certificate in any traditional sense. Likely these are all intended and meant to be issued and proper validation and cause for the issuance can be shown. However... Isn't the point of the CCADB to document these SubCAs, track audits, and build up the whole trust framework and provide rational, documented support for confidence in the ability to trust certificates issued descendant of these CAs? If so, allowing issuance of a SubCA without requiring disclosure provides opportunities for these CAs to facilitate improper certificate issuance without necessarily suffering the full consequence. It also deprives the public of the opportunity to critically examine these "hidden" parts of the trust infrastructure. On that basis, it would seem that "concealing" a SubCA for a significant period of time has the consequence of benefiting the Root CA program participant without a corresponding "time to pay the piper" when the SubCA is discovered. Why not adjust the program requirements such that: If we are exposed to a SubCA chaining to an included root via any mechanism other than the included program participant directly disclosing said SubCA to us, having not previously had this SubCA properly disclosed to us, this will be regarded as a serious security incident which may require remediation. (In other words, the program will just assume that in the absence of a prior disclosure, the disclosure, when/if it would come, says that an external SubCA without constraints of any sort was issued without any audits to your least favorite authoritarian regime.) I think if any CA publicly said that this would be a substantive burden upon them that said CA should probably be subject to far greater scrutiny, as that would be evidence of poor procedural or organizational structure. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
