I guess under this logic, I withdraw my protest. As you say, Google could simply start using these certificates, and Mozilla executives would force you to accept them regardless of any policy violations in order to keep people using Firefox. This whole process appears to mostly just be a veneer of legitimacy on a process roughly akin to the fair and democratic election of Vladimir Putin. :| As long as Google remains legally answerable to no authority and an effective monopoly in half a dozen markets, there is roughly no point for Mozilla to maintain a CA policy: It should simply use Chrome's trusted store.
Google's explanation in their announcement seems to confirm my statement: That buying roots from GlobalSign is effectively backdooring the CA process and making their certificates work in products which would not otherwise trust them. -Jacob Weisz On Mon, Sep 17, 2018 at 6:19 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > On Mon, Sep 17, 2018 at 3:19 PM jtness--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> >> The risk of any given browser vendor also being a Root CA is small as most >> browser vendors do not have the requisite market share to make unilateral >> decisions. Google possesses over 60% of the browser market and 80% of the >> mobile operating system market. What avenues does Mozilla have to >> realistically push back if Google abuses their effective authority over the >> Internet via browser share in the CA space? Presumably "Firefox becomes the >> browser that can't establish a connection to google.com or gmail.com" is >> outside of the realm of realistic scenarios. Neither Apple nor Microsoft has >> the market share to summarily decide a CA is no longer in business, Google >> can. >> > I don't agree with this logic. Most websites care a lot about losing even 1% > of users to untrusted certificates. Also, a logical conclusion from this > argument is that Mozilla can't decide to deny this inclusion request, > especially given that Microsoft has already accepted these roots, because if > we do then Google will just go ahead and use them anyhow. I don't agree with > that conclusion either. > >> It would seem to me that Google is already the judge, jury, and >> executioner of the public key infrastructure, and they're about to have a >> strong financial interest in each CA that is found guilty. Presumably if >> Google were to summarily execute another large CA in the future, after >> launching their own certificate offering, they would see a large uptick in >> business. >> >> With regards to your linked discussion about the GlobalSign root >> acquisition, I see nothing but more reasons to be concerned. Is there any >> reason for Google to have acquired the roots from GlobalSign except to >> backdoor their way into already being in Mozilla's trusted store? I admit to >> being a layman on this matter, so what exactly is the legitimate case for >> Google acquiring GlobalSign roots? > > > I will defer to Google's post announcing the acquisition: > https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html >> >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
