On Mon, Mar 19, 2018 at 6:26 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> A few months ago, we discussed our root inclusion criteria [1], and came to > a conclusion that I summarized and proposed in policy as follows: > > I would like to thank everyone for your constructive input on this topic. > > At the outset I stated a desire to ‘establish some objective criteria > that > > can be measured and applied fairly’. While some suggestions have been > made, > > no clear set of criteria has emerged. At the same time, we’ve heard the > > argument that our time would be better spent on raising the bar for all > CAs > > in the program, regardless of their subjective value to typical users of > > our products. > > > > Some thought was also given to applying unique technical criteria to new > > CAs, such as limiting certificate lifetime to 90 days or requiring ACME > > support. It was pointed out, however, that this favors incumbents and > > doesn’t drive improvement in the overall ecosystem. > > > > The conclusion from this discussion is that we will not attempt to > restrict > > organizations from participating in the Mozilla CA program based on a > > judgement of their value to our users. We will continue to require > > applicants to demonstrate compliance with our policies, and reserve the > > right to deny membership to any CA at our discretion, e.g. because they > > have a documented pattern of misbehavior or we believe they intend to > > violate our policies. > > > > Here is a proposed update to the Mozilla Root Store Policy reflecting > this > > decision: > > > > https://github.com/mozilla/pkipolicy/compare/master... > > inclusion-criteria?quick_pull=1 > > > > Having just reviewed this again, I recommend that we also remove the word > “typical” from section 2.1(1) of the policy that reads: > > CAs whose certificates are included in Mozilla's root program MUST: > > 1. provide some service relevant to typical users of our software > > products; > > > > This is: https://github.com/mozilla/pkipolicy/issues/118 and > https://github.com/mozilla/pkipolicy/issues/104 > > [1] https://groups.google.com/d/msg/mozilla.dev.security. > policy/GbXvh9ulboI/DWdJUc_cAQAJ > > So, one aspect of this is the recently discussed risk - that is, a CA that provides value for only 10 users presents a substantial amount of risk to all Mozilla users, for both compromise and non-compliance. This is, admittedly, a subjective evaluation - but then again, so is trust. I'm curious whether the current "typical" language serves to establish a baseline bar for assesing the risk - that is, a CA that issues only one certificate a year, used by 100 Mozilla users, seems like a substantial risk to all Mozilla users. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy