As for what CA organizations to include in a future iteration of the
Mozilla root store, I would say that there are 4 groups that I (as a
browser user) would like to get included and 2 which I would not:
1. Global public CAs that provide certificates to subscribers from all
over the world subject to appropriate security controls to avoid
issuing to people other than what the certificate states and avoid
technical compromise of the certificate infrastructure and the relying
party software.
2. National public and government CAs that issue certificates only to
their own subjects (citizens, organizations, institutions) to similar
high standards further enhanced by their authoritative knowledge of
the true identities of subscribers. However trust in those should be
technically constrained (either in the roots or in extra root store
metadata) to only the country identifiers they are actually
authoritative for. For example the Taiwan Governmemt roots should
only be trusted for the .tw TLD (or perhaps some government
subdomain). Similar any new Danish national CA (replacing the dead
TDC CA) would only be trusted for the .dk, .fo and .gl TLDs .
The C= and jurisdictionOfIncorporation parts of distinguished names
should also be restricted.
3. Major vertical CAs for high value business categories that issue
publicly trusted certificates at better than EV level integrity. For
example if the VISA CA was issuing public certificates for the
customer facing secure account web interfaces of most of the
participating banks and credit card issuers, worldwide, they would be
valuable CA to include. The same would be true if the (now historic)
SET payment standard had been included in Firefox and relied on VISA
issued certificates for the payment servers.
4. Selected company CAs for a handful of too-bit-to-ignore companies
that refuse to use a true public CA. This would currently probably
be Microsoft, Amazon and Google. These should be admitted only on
a temporary basis to pressure such companies to use generally trusted
independent CAs.
Root operators not to include:
-1. Root programs that engage in actually harmful activities such as
MiTM attacks or mandatory key escrow. Seems many "ElDAS" style CAs in
the EU do the latter.
-2. Root programs that serve only themselves and have not become too-big
to ignore.
On 17/01/2018 00:45, Wayne Thayer wrote:
I would like to open a discussion about the criteria by which Mozilla
decides which CAs we should allow to apply for inclusion in our root store.
Section 2.1 of Mozilla’s current Root Store Policy states:
CAs whose certificates are included in Mozilla's root program MUST:
1. provide some service relevant to typical users of our software
products;
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
