Hi Kathleen and community, I understand that you've made a decision w/r/t the DarkMatter CA matters and am not writing to challenge or attempt influence on those.
I'm responding here only in so far as that you were "intrigued" by my comments analogizing Mozilla Root Trust store decisioning to the kinds of risk management exercised in assumption of financial risks such as in consumer lending. I'm writing to further expound on my positions in that regard. I submit that I disagree somewhat with Gijs' suggestion that Mozilla acts in the nature of a third-party guarantor here. I further submit that the more direct analogue is that the community of Mozilla users present and future is the set of depositing members of the Mozilla Trust Credit Union, a bank of trust/credit which is lended out to CAs from the pool of trust + good will of those users -- that pool being under the direction and management of the Mozilla organization, who, I believe, are literally acting in the nature of a lender, loaning out the pooled assets (in this case the sum of the trust extended to Mozilla) to qualified trust-borrowers (CAs). Mozilla is explicitly in the position of making decisions regarding where to invest that pooled trust. Indeed, if Mozilla is a mere guarantor in this process, who precisely is the lender? I also disagree with the contention that Mozilla has "effectively no recourse" should a trust "debtor" (CA) "default" (fail to make "payments" on the borrowed trust through providing services to certificate subscribers only in compliance with program and industry guidelines and with proper validations.) Mozilla's recourse is essentially absolute: you can revoke the trust you've extended, preventing further damage. Just as a lender in consumer finance has the ability to service and manage borrowers in their current portfolio (for example, via periodic credit monitoring of current borrowers), tools for the management and monitoring of program participants exist: Certificate Transparency log monitoring as well as a fairly active community of users who are actively digging for problems. I agree that it's quite possible that the Mozilla Root program should be far more selective. Perhaps DarkMatter does not meet the bar. If so, though, I think there are a whole lot of other participants (including many current participants) who also do not meet the bar, if one is to be objective in these decisions. In support of objectivity in these matters, I again raise the scenario: Imagine you personally have to appear before a judge in some court for some reason regarding rationale in program membership. Do we want a future in which this might be the testimony: "Your honor, CAs A, B, and C despite having minor compliance issues directly aligned to program guidelines and which were quickly remediated, those CAs met the bar for inclusion. However, CAs D, E, and F despite meeting compliance burdens aligned to program guidelines without exception, failed to meet the bar for inclusion because of real or perceived shortcomings not directly aligned to program guidelines."? Whether by Mozilla's doing or not, inclusion in the Mozilla Root trust store is essentially a prerequisite to access to other trust stores, access to stores in various other OS distributions, access to default stores in IoT devices being manufactured, etc. These past couple of years have shown a very particular direction and focus for the WebPKI. (Broadly, from what I've seen, toward a domain-validated only future with what is likely to evolve as a single static leaf certificate profile. Perhaps with caveats for signed exchange certs, etc.) If that's truly where it's headed and if that future has a charitable CA supported by the community, there does not really seem to be a place for commercial CAs moving forward, with respect to the WebPKI. Perhaps it makes sense for the program to begin aligning policy to a "hard divorce" of the public WebPKI from all other use cases? This would likely dramatically reduce incentives for commercial participants with intentions good or bad from joining and maintaining membership in the program. If that's where it's headed anyway, it may be that a great deal of work [on the part of all involved parties] can be avoided by being explicit on that intent sooner rather than later. Were you to do that -- and combine that with taking steps that technologically make it infeasible to have a single TLS endpoint usefully act as part of the WebPKI and a private hierarchy simultaneously, I believe you could essentially eliminate much of the commercial and government interest in program membership. We would hopefully end up with no more than a handful of equivalent but fully independent (managerially and technologically) CAs in the image of Let's Encrypt and no reason for any other CAs to be in the program. On Tue, Jul 16, 2019 at 11:19 AM Kathleen Wilson via dev-security-policy < [email protected]> wrote: > > I was intrigued by Matthew’s FICO score analogy [3] demonstrating that > bias should be removed from the decision making process. I agree with > Gijs’ suggestion [4] that a more applicable analogy is being a guarantor > on a large loan. As Gijs’ said: you should never “be a guarantor for > anybody unless you're very, very sure of that person, because you have > effectively no recourse if the debtor leaves you holding the bag.” If I > had thought of myself (or Mozilla) as a guarantor of the CNNIC CA, then > all of the concerns that people had raised about CNNIC during their root > inclusion request would have enabled me to say that I was not confident > that CNNIC would continue to fulfill their commitments as a CA in > Mozilla’s program. That could have prevented the difficulties that arose > when the CNNIC root was used to mis-issue TLS certificates that were > subsequently used for MiTM. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
