On Mon, 17 Sep 2018 18:41:07 -0500 Jake Weisz via dev-security-policy <[email protected]> wrote:
> I guess under this logic, I withdraw my protest. As you say, Google > could simply start using these certificates, and Mozilla executives > would force you to accept them regardless of any policy violations in > order to keep people using Firefox. This whole process appears to > mostly just be a veneer of legitimacy on a process roughly akin to the > fair and democratic election of Vladimir Putin. :| As long as Google > remains legally answerable to no authority and an effective monopoly > in half a dozen markets, there is roughly no point for Mozilla to > maintain a CA policy: It should simply use Chrome's trusted store. I think you've misunderstood. What happened was that somebody turned your logic on itself, to show that it tears itself to pieces. The right conclusion to draw from that is "My whole position is senseless and I must reconsider". It's analogous to the mathematical "proof by contradiction". It certainly isn't our intent to say you're right, but only to follow your position to its self-defeating logical conclusion. Also, in passing, it would help if you knew that, for example, Chrome doesn't have a trust store, Google operates a root trust programme in its role as an Operating system vendor (for Android) but the Chrome browser uses the OS-provided trust store, a Chrome on Windows trusts the various obscure Government CAs that Microsoft decided are trustworthy, a Chrome on macOS trusts whatever Apple trusts, and so on. > Google's explanation in their announcement seems to confirm my > statement: That buying roots from GlobalSign is effectively > backdooring the CA process and making their certificates work in > products which would not otherwise trust them. Mechanically it is necessary to have trust from existing systems or you can't run a new CA for many years while you wait for new systems that do trust you to be deployed. [ For example for Let's Encrypt this was ensured by obtaining cross signatures on the Let's Encrypt intermediates from Identrust's DST Root CA X3. ] This fact makes a difference to what a CA might plausibly choose to do, operationally, but doesn't alter how trustworthy, or otherwise that CA is to operate a store today, which is the purpose of Mozilla's process here. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
