On Tue, Jul 7, 2020 at 10:36 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Jul 06, 2020 at 10:53:50AM -0700, zxzxzx66669--- via > dev-security-policy wrote: > > Can't the affected CAs decide on their own whether to destroy the > > intermediate CA private key now, or in case the affected intermediate CA > > private key is later compromised, revoke the root CA instead? > > No, because there's no reason to believe that a CA would follow through on > their decision, and rapid removal of trust anchors (which is what "revoke > the root CA" means in practice) has all sorts of unpleasant consequences > anyway. > Er, not quite? I mean, yes, removing the root is absolutely the final answer, even if waiting until something "demonstrably" bad happens. The question is simply whether or not user agents will accept the risk of needing to remove the root suddenly, and with significant (e.g. active) attack, or whether they would, as I suggest, take steps to remove the root beforehand, to mitigate the risk. The cost of issuance plus the cost of revocation are a fixed cost: it's either pay now or pay later. And it seems like if one needs to contemplate revoking roots, it's better to do it sooner, than wait for it to be an inconvenient or inopportune time. This is why I meant earlier, when I said a solution that tries to wait until the 'last possible minute' is just shifting the cost of misissuance onto RPs/Browsers, by leaving them to clean up the mess. And a CA that tries to shift costs onto the ecosystem like that seems like it's not a CA that can be trusted to, well, be trustworthy. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy