On 18/01/2018 11:01, Gervase Markham wrote:
On 17/01/18 19:49, Jakob Bohm wrote:
3. Major vertical CAs for high value business categories that issue
publicly trusted certificates at better than EV level integrity. For
How do you define "major"? And "high value business category"?
Major would be the biggest 1 to 3 of their kind, ignoring any covering
only a small fraction of the relevant web site/e-mail population even if
in the top 3. Also any not doing this globally is not major.
High value business category would be a category where web users have an
extremely high need for genuineness. Banks/central payment systems
would be the canonical example, with the VISA CA/SET combination as a
possible historic example (noting that it looks like they don't
currently qualify even if they did in the past).
Another example could be if a global medical organization (WHO or ICRC
or some NGO) were to issue certificates for secure communication with
doctors anywhere people might live or travel, using their specific
knowledge and resources to ensure that only actual doctors could get
certificates. Here the high value would be the users life and physical
health, not money.
On the other hand, similar certificate services for e-commerce sites or
drugstores would probably not qualify as sufficiently high value to
entertain a category specific root inclusion.
Similarly a CA that only vouches for Banks in the US and Britain would
not qualify as Major, even if no larger banks-only CA exists.
4. Selected company CAs for a handful of too-bit-to-ignore companies
that refuse to use a true public CA.
So you think Mozilla's policy should include formal acknowledgement that
some companies are too big to ignore?
How do you decide which companies are in this category?
This would very much be a subjective assessment. And would only be on a
provisional basis. The key criteria would be how much normal users
would be hurt by that CA not being trusted. Another key criteria would
be if they were already included (Google and Amazon).
For example, if users can't access the most popular search engine
(Google), cannot access key services for their OS (Microsoft in some
cases), or cannot access sites hosted by one of the top hosting
providers (Amazon) that would be a reason to include that root in
preference to forcing users to switch to a browser that does (Chrome,
IE, some Amazon browser).
As most large companies will have a hard time creating this situation
from scratch (because they would not be initially trusted by browsers
they can't get away with creating a situation where adding them to
browsers becomes a necessity), this will be mostly a transitional /
grandfathering category.
Note that with my more strict definition of a global public CA, cloud
providers (or other providers) that only vouch for their own customers
don't qualify in that category, since they are not open to all comers.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
