A few thoughts, inlined below... On Monday, September 17, 2018 at 6:42:29 PM UTC-5, Jake Weisz wrote: > I guess under this logic, I withdraw my protest. As you say, Google > could simply start using these certificates, and Mozilla executives > would force you to accept them regardless of any policy violations in > order to keep people using Firefox. This whole process appears to > mostly just be a veneer of legitimacy on a process roughly akin to the > fair and democratic election of Vladimir Putin. :| As long as Google > remains legally answerable to no authority and an effective monopoly > in half a dozen markets, there is roughly no point for Mozilla to > maintain a CA policy: It should simply use Chrome's trusted store.
Your summation here does not logically follow. Yes, it's true that with a giant installed base of Chrome and the ability to auto-update it, Google can more or less arbitrarily insert new trust into their browser with impunity. Having said that, they have historically not done so. In fact -- and I think this may be changing -- for now, Chrome on most platforms delegates initial trust decision to the OS's corresponding trust store. Chrome on MacOS / Chrome on IOS use the native APIs and Apple trust store to determine initial trust, then Chrome applies further logic to downgrade trust of certain scenarios (Symantec descendant certs, etc.) Chrome on Windows presently uses the Windows APIs and Windows trust store. It has been suggested that Chrome ultimately intends to maintain a formal Chrome trust store, but this is not the case today. Today this means that to be trusted on Windows, even in Chrome, you have to be in the Microsoft root program. To be trusted on Apple platforms, even in Chrome, you have to be in the Apple root program. To date, no one has caught Chrome trusting things it shouldn't by way of an automated update. If they tried to do that without good explanation, it would be easily caught at the level of scale that Chrome is used at. It is undeniable that the various titans of the internet wield enormous power over the software and infrastructure of the internet. Historically, Google is a significant enough contributor to Mozilla financially that it's hard to imagine that Mozilla would deny them much even if making Firefox trust everything that Chrome trusts didn't become competitively necessary. Nevertheless, even if Google were totally exempt from the standards for inclusion and even if Google didn't act honorably in their inclusions (though nothing has suggested this), your argument that Mozilla shouldn't bother with a trust store / root program is illogical. Even if Google got a truly free pass, someone still has to police the many others who want to be in the trust program. > Google's explanation in their announcement seems to confirm my > statement: That buying roots from GlobalSign is effectively > backdooring the CA process and making their certificates work in > products which would not otherwise trust them. Actually, Google took a bit of heat from the community and the Mozilla root program regarding the acquisitions of that root and of the transfer of the roots to Google. While ultimately no action was taken against Google or Globalsign as a direct result of those transfers, the transfers did evidence holes in the program's policies and further revisions were made and guidance given for any future transfers. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
