On Sat, Jul 04, 2020 at 07:42:12PM -0700, Peter Bowen wrote: > On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > > On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via > > dev-security-policy wrote: > > > I was informed yesterday that I would have to replace just over 300 > > > certificates in 5 days because my CA is required by rules from the CA/B > > > forum to revoke its subCA certificate. > > > > The possibility of such an occurrence should have been made clear in the > > subscriber agreement with your CA. If not, I encourage you to have a frank > > discussion with your CA. > > > > > In the CIA triad Availability is as important as Confidentiality. Has > > > anyone done a threat model and a serious risk analysis to determine what a > > > reasonable risk mitigation strategy is? > > > > Did you do a threat model and a serious risk analysis before you chose to > > use the WebPKI in your application? > > I think it is important to keep in mind that many of the CA > certificates that were identified are constrained to not issue TLS > certificates. The certificates they issue are explicitly excluded > from the Mozilla CA program requirements.
Yes, I'm aware of that. > I don't think it is reasonable to assert that everyone impacted by > this should have been aware of the possibly of revocation At the limits, I agree with you. However, to whatever degree that there is complaining to be done, it should be directed at the CA(s) which sold a product that, it is now clear, was not fit for whatever purpose it has been put to, and not at Mozilla. > it is completely permissible under all browser programs to issue > end-entity certificates with infinite duration that guarantee that they > will never be revoked, even in the case of full key compromise, as long as > the certificate does not assert a key purpose in the EKU that is covered > under the policy. The odd thing in this case is that the subCA > certificate itself is the certificate in question. And a sufficiently[1] thorough threat modelling and risk analysis exercise would have identified the hazard of a subCA certificate that needed to be revoked, assessed the probability of that hazard occurring, and either accepted the risk (and thus have no reasonable cause for complaint now), or would have controlled the risk until it was acceptable. That there are people cropping up now demanding that Mozilla do a risk analysis for them indicates that they themselves didn't do the necessary risk analysis beforehand, which pegs my irony meter. I wonder how these Masters of Information Security have "threat modelled" the possibility that their chosen CA might get unceremoniously removed from trust stores. Show us yer risk register! - Matt [1] one might also substitute "impossibly" for "sufficiently" here; I've done enough "risk analysis" to know that trying to enumerate all possible threats is an absurd notion. The point I'm trying to get across is that someone asking Mozilla to do what they can't is not the iron-clad, be-all-and-end-all argument that some appear to believe it is. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy