On Friday, August 4, 2017 at 8:02:16 AM UTC+9, Kathleen Wilson wrote: > On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote: > > I would really like to see that they have at least opened a bug to > > request the inclusion of that CA before it's cross-signed. > > Here's StartCom's current root inclusion request: > https://bugzilla.mozilla.org/show_bug.cgi?id=1381406 > > > > It should > > have already all the requirements that Mozilla has for including the > > root CA certificate before it's cross signed. > > Correct. That should be true for all subCAs that are cross-signed by > currently-included CAs. > > > > > I would prefer that it's even included in the Mozilla root store > > before it's cross signed, > > That might not be fair, given how long Mozilla's root inclusion process > takes, and that we don't require this of other CAs who are new to our program.
Kathleen, Doesn't this depend on your perspective of whether or not "new CA" refers to the key or the organization? There's no doubt StartCom is not a "new CA" - it is a CA that Mozilla entrusted with the ability to issue certificates, and the organization - and its management - egregiously and repeatedly violated that trust. The decision to remove - and to instill new requirements - was to ensure that the organization meaningfully underwent change to ensure that it would not do the same if further keys operated by it were included as trusted by Mozilla products - whether directly or indirectly. Further, the process of restricting it to going through the Mozilla process ensures that there is a sufficient level of community review of those remediation steps, so that the Mozilla community can be assured that StartCom, the organization, is both competent enough and trustworthy enough to be entrusted with keys to the Internet. In this light, both the past actions of StartCom the organization AND the many technical failures are relevant in that evaluation. Cross-signing directly undermines that review process, and in doing so, undermines both trust in StartCom the organization and in the Mozilla process, if a removed CA need only to pay for a cross-sign and can thus bypass every remediation step required of them, as StartCom is effectively doing. My understanding had been that when a remediation is imposed on an organization, due to failing to follow policies, then those remediation steps must be taken, and subsequently reviewed by the community, before any direct (root key inclusion) or indirect (cross-signing) restoration of trust in the Mozilla Root Store. Without that guarantee, any corrective actions are hollow, and with it, trust in the whole system itself is lost. I do hope you can clarify whether remediations apply to keys operated by organizations, or whether they apply to the organization themselves. If they apply to the organization, one would naturally expect they apply to root inclusion or cross-signs, and the organization is no longer "treated like a new CA," because they are no longer a new CA - they are an existing one. It is also worth noting that in the past, Mozilla directed other CAs that cross-signing of their (new) roots would be expressly forbidden until the corrective actions were taken and publicly reviewed. For example, allowing CNNIC to be cross-signed prior to remediation would have defeated the entire purpose of removal. In this larger light, it would also seem that StartCom, having misissued a number of certificates already under their new hierarchy, which present a risk to Mozilla users (revocation is neither an excuse nor a mitigation for misissuance), should be required to take corrective steps and generate a new hierarchy that is not, out of the gate, presenting risk to the overall community due to its past misissuances. We can and should expect more of new keys being included, because the compatibility risk of expecting adherence to the Root Policy is non-existent. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
