On 17/01/2018 22:51, Peter Bowen wrote:
On Wed, Jan 17, 2018 at 11:49 AM, Jakob Bohm via dev-security-policy
<[email protected]> wrote:
4. Selected company CAs for a handful of too-bit-to-ignore companies
that refuse to use a true public CA. This would currently probably
be Microsoft, Amazon and Google. These should be admitted only on
a temporary basis to pressure such companies to use generally trusted
independent CAs.
Jakob,
Can you please explain how you define "true public CA"? How long
should new CAs have to meet this criteria? I don't like carve outs
for "too-big-to-ignore".
True public CA = #1 to #3 in my list. For the 3 organizations mentioned,
this would probably be #1.
For #1 they would need to offer certificates to anyone willing to pay
the usual fee (possibly 0), passing validation and not barred by special
circumstances (Government embargoes, non-functional whois servers, known
cybercriminals etc.). They would need to promise doing this as long as
they are fully operational, but obviously not during spin-up and
stand-down periods (where they would typically only sign internal
certificates, test sites etc.)
For #2 and #3 they would need to offer certificates to most entities
within their scope.
So Let's encrypt, Digicert, Globalsign etc. are true global CAs. (#1)
CNNIC, Deutche Telekom etc. are national CAs (#2)
VISA, ICAO etc. might operate vertical major CAs (#3)
The carve outs are there because as web users we have difficulty
avoiding websites using those specific organizations, thus needing to
trust them subject to as many limitations as the browser can practically
enforce. The suggested time limits are there to help sunsetting the
carve-outs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
