On Wed, Jul 10, 2019 at 1:07 PM Nadim Kobeissi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I would like to support the statements made by both Fabio and Scott to the > extent that if Mozilla is to go forward with this decision, then I fully > expect them to review their existing CAs and to revoke onto OneCRL every > one of them that has some news report of blog post linking them to > nefarious activities without evidence. The examples given by Fabio (Saudi > Telecom, Australia's Attorney General Department, etc.) seem to have as > much "evidence" (if not more) than DarkMatter out there. Will they also be > revoked? And if not, why not? In fact, why didn't Mozilla itself bring this > up before Fabio and Scott chimed in? > Hi Nadim, I realize you're a new participant in this Forum, and thus are not very familiar with PKI or how it works. As I responded, Fabio's remarks misunderstand both Mozilla Policy and how CAs work and operate, as well as audits and controls. I realize this may be confusing for new participants, and I hope my drawing attention to your confusion can help you learn more. Similarly, as a new participant, you probably aren't familiar with how root programs work, based on your replies. For example, Mozilla's policy has always contained a very explicit provision: Mozilla MAY, at its sole discretion, decide to disable (partially or fully) or remove a certificate at any time and for any reason. I realize you may be unhappy with that language, based on your replies, but it's important to recognize that Mozilla is tasked with, among other things, the safety and security of its users. However, as noted, it may remove them for any reason, even those without security requirements. Mozilla understandably strives to balance this in its mission, but I think it's important to recognize that it's a very clear policy which every CA trusted or applying to be trusted must acknowledge and agree with. It's also unfortunate that you seem to be looking for objective controls here. In the 30 years of PKI discussions, one of the key themes in both the legal and technical analysis is that trust is, functionally, a subjective thing. Audits are one mechanism to try to improve certainty, but they are not a substitute. The choice of audit schemes currently used - which rely on third-party audits with criteria developed by other organizations - is similarly lacking in suitability, if that's the position to take. Alternative schemes, which have been or are practiced by other root programs, includes charging CAs that wish to apply, and using that to fund efforts for the development and analysis of organizations. However, that sort of "pay for play" scheme, as some perceive it, runs the risk of further encouraging those with deep pockets to pursue bad behaviour. If you're looking to understand a bit more about the basics of PKI, which seems a good opportunity given the challenges you're struggling with on the discussion, perhaps you'd like to examine how the Mozilla Policy developed [1]. You can note the issues [2] at the time with audits. Indeed, some of the earlier messages on this thread include good primers that potential participants should be familiar with, in order to ensure their contributions are most useful and informed. [1] http://hecker.org/mozilla/ca-certificate-metapolicy [2] http://hecker.org/mozilla/cert-policy-submitted _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
