On Wed, Jul 10, 2019 at 1:07 PM Nadim Kobeissi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> I would like to support the statements made by both Fabio and Scott to the
> extent that if Mozilla is to go forward with this decision, then I fully
> expect them to review their existing CAs and to revoke onto OneCRL every
> one of them that has some news report of blog post linking them to
> nefarious activities without evidence. The examples given by Fabio (Saudi
> Telecom, Australia's Attorney General Department, etc.) seem to have as
> much "evidence" (if not more) than DarkMatter out there. Will they also be
> revoked? And if not, why not? In fact, why didn't Mozilla itself bring this
> up before Fabio and Scott chimed in?

Hi Nadim,

I realize you're a new participant in this Forum, and thus are not very
familiar with PKI or how it works. As I responded, Fabio's remarks
misunderstand both Mozilla Policy and how CAs work and operate, as well as
audits and controls. I realize this may be confusing for new participants,
and I hope my drawing attention to your confusion can help you learn more.

Similarly, as a new participant, you probably aren't familiar with how root
programs work, based on your replies. For example, Mozilla's policy has
always contained a very explicit provision:
Mozilla MAY, at its sole discretion, decide to disable (partially or fully)
or remove a certificate at any time and for any reason.

I realize you may be unhappy with that language, based on your replies, but
it's important to recognize that Mozilla is tasked with, among other
things, the safety and security of its users. However, as noted, it may
remove them for any reason, even those without security requirements.
Mozilla understandably strives to balance this in its mission, but I think
it's important to recognize that it's a very clear policy which every CA
trusted or applying to be trusted must acknowledge and agree with.

It's also unfortunate that you seem to be looking for objective controls
here. In the 30 years of PKI discussions, one of the key themes in both the
legal and technical analysis is that trust is, functionally, a subjective
thing. Audits are one mechanism to try to improve certainty, but they are
not a substitute. The choice of audit schemes currently used - which rely
on third-party audits with criteria developed by other organizations - is
similarly lacking in suitability, if that's the position to take.
Alternative schemes, which have been or are practiced by other root
programs, includes charging CAs that wish to apply, and using that to fund
efforts for the development and analysis of organizations. However, that
sort of "pay for play" scheme, as some perceive it, runs the risk of
further encouraging those with deep pockets to pursue bad behaviour.

If you're looking to understand a bit more about the basics of PKI, which
seems a good opportunity given the challenges you're struggling with on the
discussion, perhaps you'd like to examine how the Mozilla Policy developed
[1]. You can note the issues [2] at the time with audits. Indeed, some of
the earlier messages on this thread include good primers that potential
participants should be familiar with, in order to ensure their
contributions are most useful and informed.

[1] http://hecker.org/mozilla/ca-certificate-metapolicy
[2] http://hecker.org/mozilla/cert-policy-submitted
dev-security-policy mailing list

Reply via email to