On Tue, Mar 20, 2018 at 1:30 PM, Jakob Bohm via dev-security-policy <
[email protected]> wrote:
>
> Are you suggesting that the BRs be modified so a CA that has ceased
>> issuance can obtain a clean audit report without meeting all current BR
>> requirements?
>>
>>
> I am suggesting that we consider what policy should be applied to the
> (required!) capability of keeping revocation running for max cert
> lifetime after a CA ceases to operate.
>

The BRs already cover this. The point is that once a CA stops auditing,
there's an issue about ensuring conformance.


> For starters, a wind-down CA will not issue any more certificates (and
> should probably be audited to that fact), and will thus not be
> meaningfully subject to the various requirements associated with that
> activity (such as validation procedures, contents of newly issued
> certificates etc.).  This alone should significantly reduce the scope of
> requirements and audits.
>

I strongly disagree with this framing. The notion of a "wind-down CA" is
not a concept that is part of the PKI. It remains a functional CA, with the
full capability of issuance, and thus all appropriate policies, procedures,
and protections apply.


> Secondly, a wind-down CA (as opposed to a wind-down root key from an
> otherwise active CA) is likely to be operating from a prepaid
> contingency fond, set up before the wind down based on the bare-bones
> cost of safely doing the wind down procedures by a qualified but not
> stellar skeleton crew.  Thus maybe it shouldn't be required to engage
> in time consuming administrative procedures such as responding to
> quarterly Mozilla surveys or diligently watching m.d.s.p for new
> requirements.
>

I strongly disagree with this. If we believe these services are meaningful
for Mozilla users, it's absolutely relevant. Consider that the proposal
here fails to consider OCSP nonces, for example, as a prime example of why
this suggestion is inherently and fundamentally flawed.


> From the perspective of keeping Mozilla users safe, there are simply a
> lot less that could go wrong,


This is not true.


> Also, some ad hoc leniency may be used as a temporary substitute for a
> formal policy.
>

I do not think these suggestions are good nor do they ensure the safety of
users, nor offer the reliability or assurance.

CAs can make contingency plans to deprecate in an orderly fashion without
any of the issues Jakob raises. The failure to do so, and the resulting
distrust, is wholly in line with keeping users safe by default.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to