On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via dev-security-policy > wrote: > > I was informed yesterday that I would have to replace just over 300 > > certificates in 5 days because my CA is required by rules from the CA/B > > forum to revoke its subCA certificate. > > The possibility of such an occurrence should have been made clear in the > subscriber agreement with your CA. If not, I encourage you to have a frank > discussion with your CA. > > > In the CIA triad Availability is as important as Confidentiality. Has > > anyone done a threat model and a serious risk analysis to determine what a > > reasonable risk mitigation strategy is? > > Did you do a threat model and a serious risk analysis before you chose to > use the WebPKI in your application?
I think it is important to keep in mind that many of the CA certificates that were identified are constrained to not issue TLS certificates. The certificates they issue are explicitly excluded from the Mozilla CA program requirements. The issue at hand is caused by a lack of standardization of the meaning of the Extended Key Usage certificate extension when included in a CA-certificate. This has resulted in some software developers taking certain EKUs in CA-certificates to act as a constraint (similar to Name Constraints), some to take it as the purpose for which the public key may be used, and some to simultaneously take both approaches - using the former for id-kp-serverAuth key purpose and the latter for the id-kp-OCSPSigning key purpose. I don't think it is reasonable to assert that everyone impacted by this should have been aware of the possibly of revocation - it is completely permissible under all browser programs to issue end-entity certificates with infinite duration that guarantee that they will never be revoked, even in the case of full key compromise, as long as the certificate does not assert a key purpose in the EKU that is covered under the policy. The odd thing in this case is that the subCA certificate itself is the certificate in question. As several others have indicated, WebPKI today is effectively a subset of the more generic shared PKI. It is beyond time to fork the WebPKI from the general PKI and strongly consider making WebPKI-only CAs that are subordinate to the broader PKI; these WebPKI-only CAs can be carried by default in public web browsers and operating systems, while the broader general PKI roots can be added locally (using centrally managed policies or local configuration) by those users who what a superset of the WebPKI. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy