I think QiHoo 360's role does open some questions. In particular, why would QiHoo 360 shut down efforts by Startcom, run by a relatively trusted member of the community, Inigo Barreira, to be accepted as a CA; and instead favor WoTrus, run by Richard Wang, an explicitly UN-trusted member of the community, to be accepted as a CA.
That's a fairly remarkable choice for them to make, considering the circumstances, and I think fairly clearly a choice *not* primarily based on trust considerations. On Wednesday, November 22, 2017 at 3:28:49 PM UTC-5, Matthew Hardeman wrote: > In defense of WoSign/WoTrus/StartCom's parent company, QiHoo 360... > > While I don't personally attach a great value to the ethics of the owning > entity of the CA/proposed CA, for those who do or would attach such > importance, I would like to point out that the various vulnerabilities and > security research teams at QiHoo do a lot of good work and indeed are quite > often credited for discovery of vulnerabilities in a plurality of > complicated systems and products: > > For example, QiHoo 360's researchers are among the largest contributors by > unique vulnerabilities discovered and documented in Google's Android OS. > Similarly, quite a lot of firmware and OS in Apple products have > vulnerability reports crediting QiHoo 360 for discovery of vulnerabilities. > > These include such "big-ticket" banner issues as the Broadcom wi-fi driver > bug which allowed for arbitrary code execution. > > It's clear that the parent organization employs a great many talented > security and vulnerability researchers who are materially contributing to > the overall security and integrity of computing, mobile, network, and > software technologies. > > I'm sure there's plenty to criticize about them as well, but the fact > remains... They are securing a lot of undisputed credit for novel > discovery of significant security issues in products millions are using > daily -- and they're disclosing these to the vendors and fixes are > happening. > > If it is decided that we want to attach "corporate level" responsibility to > current and prospective CAs, I submit that this is a data point for > consideration. > > As to my own opinion, I do not think the behavior of the ownership > hierarchy or corporate entity is of direct concern. Rather, I think the > behavior of the people involved is where the ultimate story starts and > stops. > > On Wed, Nov 22, 2017 at 1:10 PM, Matthew Hardeman <[email protected]> > wrote: > > > > > > > On Wed, Nov 22, 2017 at 12:00 PM, Ryan Sleevi <[email protected]> wrote: > > > >> > >> Given that WoSign's CP/CPS itself was met by standard boilerplate, I > >> would pose that it is insufficient - the past behaviour as a predictor of > >> future behaviour means that the existing documentation approaches are > >> insufficient to make an evaluation about the trustworthiness going forward. > >> > >> How would this be remedied? It seems at a minimum, there'd need to be > >> safeguards within the new documents that sufficiently describe and mitigate > >> the past failures of safeguards. > >> > >> > > Presuming that the to-be-offered-up CP/CPS/infrastructure > > architecture/key+cert chains proposed/self-assessment questionnaire, etc, > > met the current definition of bog standard acceptable -- specifically, > > those same documents with the name of a new entrant entity would be > > accepted, it would seem that, in your position, we're back to applying a > > different standard for this proposed inclusion? > > > > Therefore, I think we must define what aspect of the same material > > application with the same documents, save for entity name, makes it > > acceptable in some cases and not acceptable in others. > > > > Is it the fact that it is the same legal entity applying which causes this > > proposed different standard to attach? I'll expound on why I believe that > > would not be an appropriate marker. > > > > Is it the fact that it is the same management team applying which causes > > this proposed different standard to attach? Similarly, I'll explain why I > > believe this IS a concern for which different standards can be applied. > > > > It's really hard to look to a legal entity as a strict boundary for > > behavior. The legally crafty entity can always spin up a sibling or child > > entity to overcome that hurdle. We can then talk about beneficial > > ownership as a factor, but as an entity scales larger, so too the > > probability that the true beneficial ownership is merely an equity > > investment player, broadly unconcerned with the day to day management. I > > don't know a decent way to define the boundary of a CA as aligning to a > > corporation or corporate family and then holding that legal entity > > accountable for an indefinite period of time. There are just too many ways > > around it. I think standards drawn this way are likely to have perverse > > consequences both as to inclusion and exclusion. > > > > If the particular investor/lendor who presently holds title to the > > proposed CA is of little to no interest then, what can we rely on in those > > matters which require us to extend this nebulous concept of trust and good > > faith? I believe the key lies in those members of the management team and > > operations team who have access and authority to impact the behavior of the > > CA. I think those people are knowable and that reward and consequence can > > be taxed upon those individuals as appropriate. I submit that the root > > programs have both the carrot and stick with which to convey those same > > said rewards and consequences. > > > > If instead what Ryan proposes is that the now current definition of > > "standard" for CP/CPS/other docs/etc should be modified to include specific > > gotchas and mitigations for the history as learned from > > WoSign/WoTrus/WoTrust/StartCom then I think there is a case to be made > > there. Having said that, the things we're trying to codify from the > > mentioned prior behavior will be really hard to codify. There's not an > > easily written mitigation for "We're run by someone who'll sell anything, > > including that which industry consensus says must not be sold." > > > > >I think an important part of this discussion is trying to understand to > > what side of Hanlon's razor did WoSign's actions fall (or, to that matter, > > of any CA). If it was incompetence, is there sufficient explanation for how > > such incompetence happened? If there >sufficient evidence that both the > > specific incident and any underlying causes have been remediated? > > Alternatively, if we allow it to be attributed to malice (or, for that > > matter, greed), is it possible to design a system of trust that is robust > > against such >considerations? If not, is it an acceptable risk to take > > going forward. If we can, what are those controls and expectations? > > > > As to this question, I put forth that the discussion should proceed as to > > the hypothetical scenario in which greed, intentional non-compliance, and > > intentional deception as an attempt to cover for said greed and > > non-compliance were all the reality. The backdated issuance of an SHA1 > > server certificate for Australian payments process Tyro, for example, is > > hard to imagine in another light. I suspect Tyro realized they suddenly > > needed something that couldn't legitimately be ordered and started reaching > > out to CAs that they thought might sell them something special for a > > premium. I think someone (presumably the operations leadership) at > > StartCom at that point saw a revenue opportunity with which he might > > impress the ownership. > > > > If all of that is how that played out, I reiterate my question: Is that > > about the CA / proposed CA or is that about the individual management who > > caused these matters to arise? I submit that it is properly taxed upon the > > individual. > > > > Just my thoughts... > > > > Matt Hardeman > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
