On Wed, Dec 19, 2018 at 05:20:59PM +0000, Jeremy Rowley via dev-security-policy wrote: > One of the big factors should be the risk to the industry/community if the > certificates aren’t revoked. Perhaps we can identify what the risk to the > community is in revocation delays first? There’s no need to know the > exact certs to talk about what the risk associated with underscore > characters is. Could you please explain the risk to the community in a > revocation delay as the “unreasonable” argument isn’t really supported > without that understanding.
I think an important risk to the community of not revoking as per the CA/B Forum's accepted ballot timeline is sending the message that the rules of the game are optional, and there is commercial benefit to be gained in not following the rules. I'm sure there are some CAs whose systems were always setup in a standards-compliant fashion, and refused to issue certificates for invalid names. I'm equally sure that at least one of those CAs lost a sale over the years as a result of that, and that sale went to a competitor which was *not* adhering to the standards. Now the issue has been raised, clarification made, and a decision has been made as to how to move forward. To provide further benefit (in the form of a waiver from the agreed-upon rules) to CAs which have failed to follow the rules in the past does not encourage adherence in the future. Certainly, if I were the CEO of a for-profit CA which *had* followed the no-underscores rule, I might be inclined to gently encourage my developers to play a little faster and looser with their interpretations in the future, if it would provide my organisation with a revenue benefit, and it was clear that there was to be no meaningful negative consequence *to me* as a result. To do otherwise would actually be contrary to the stated goals of the organisation. Please don't misunderstand my words to think that I'm saying that any CA *deliberately* ignored the standards around underscores in order to sell some more certs. I'm well aware that the rules around valid hostnames, domain names, DNS labels, etc are not the clearest, and most people wouldn't read them even if they were. It's undeniable, though, that CAs which allowed underscores in places that are supposed to be valid LDH domain names made a mistake, and to deliberately misquote Jurassic Park's John Hammond, "I don't blame people for their mistakes, but I do expect them to take responsibility for them." To not expect CAs to take responsibility for their mistakes sends a *terrible* message to the entire ecosystem, one that would have far greater long-term repurcussions than any isolated harm from the presence of underscores themselves. Whilst it's not quite the textbook definition, part of the Wikipedia page on "Moral Hazard" says, "when a person takes more risks because someone else bears the cost of those risks". That's a pretty reasonable expression of what's going on here. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
