On Sun, Jul 12, 2020 at 4:19 PM Oscar Conesa via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> To obtain this confidence, CAs must comply with all the requirements > that are imposed on them in the form of Policies, Norms, Standards and > Audits that are decided on an OBJECTIVE basis for all CAs. The > fulfillment of all these requirements must be NECESSARY, but also > SUFFICIENT to stay in the Root Program. > As Matt Palmer points out, that's not consistent with how any root program behaves. This is not unique to Mozilla, as you find similar text at Microsoft and Google, and I'm sure you'd find similar text with Apple were they to say anything. Mozilla's process is transparent, in that it seeks to weigh public information, but it's inherently subjective: this can easily be seen by the CP/CPS reviews, which are, by necessity, a subjective evaluation of risk criteria based on documentation. You can see this in the CAs that have been accepted, and the applications that have been rejected, and the CAs that have been removed and those that have not been. Relying parties act on the information available to them, including how well the CA handles and responds to incidents. Some CAs may want to assume a leadership role in the sector and > unilaterally assume more additional strict security controls. That is > totally legitimate. But it is also legitimate for other CAs to assume a > secondary role and limit ourselves to complying with all the > requirements of the Root Program. You cannot remove a CA from a Root > Program for not meeting fully SUBJETIVE additional requirements. > CAs have been, can be, and will continue to be. I think it should be precise here: we're talking about an incident response. Were things as objective as you present, then every CA who has misissued such a certificate would be at immediate risk of total and complete distrust. We know that's not a desirable outcome, nor a likely one, so we recognize that there is, in fact, a shade of gray here for judgement. That judgement is whether or not the CA is taking the issue seriously, and acting to assume a leadership role. CAs that fail to do so are CAs that pose risk, and it may be that the risk they pose is unacceptable. Key destruction is one way to reassure relying parties that the risk is not possible. I think a CA that asked for it to be taken on faith, indefinitely, is a CA that fundamentally misunderstands the purpose and goals of a root program. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
