On Thu, 29 Oct 2020 11:06:43 -0700 Jacob Hoffman-Andrews via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I also have a concern about ecosystem impact. The Web PKI and > Certificate Transparency ecosystems have been gradually narrowing > their scope - for instance by requiring single-purpose TLS issuance > hierarchies and planning to restrict CT logs to accepting only > certificates with the TLS EKU. New key distribution systems will find > it tempting to reuse the Web PKI by assigning additional semantics to > certificates with the TLS EKU, but this may make the Web PKI less > agile. This is my main concern too. I think this is something I would be annoyed to discover some CA has decided it's allowed to do, even if I wasn't able to come up with a tortured rationale for why it's prohibited. "It wasn't prohibited" is not the standard Mozilla asks root programme participants to aim for. So since I'm being asked, no, I think this is a bad idea. If we were talking about a subscriber it seems obvious that ISRG needn't try to police what they get up to, but ISRG itself is different. > I've discussed the plan with Apple, and they're fully aware this is an > unusual and non-ideal use of the Web PKI, and hope to propose a > timeline for a better system soon. One of the constraints operating > here is that Apple has already shipped software implementing the > system described above, and plans to use it in addressing our > current, urgent public health crisis. As far as I know, no publicly > trusted Web PKI certificates are currently in use for this purpose. The problem with such timelines is they are too often wishful thinking. Once the immediate need abates, further action is de-prioritised and often never happens at all. I suspect we've all experienced this. ISRG could perhaps avoid that de-prioritization by committing up front to ceasing the "unusual and non-ideal use" by some specific point in time agreed with Apple, I don't know whether Apple would be at all interested in doing that, but it might be enough to ensure that resources remain properly focused on actually deploying the "better system" in a timely fashion. This "urgent public health crisis" is presumably the COVID-19 pandemic. Action in November 2020 or later hardly seems an "urgent" response to the pandemic and at this point it seems clear that mostly what matters is political direction rather than IT innovation. That is to say, I think New Zealand has elimination whereas the USA has tens of thousands of new cases every day because New Zealand's political leadership pursued an elimination strategy and the American government did not, rather than because the NZ COVID Tracer app is markedly better than similar American software. Back to the application. I think the desire here is to have anonymisation because intellectually it seems as though users would be satisfied that collecting anonymised aggregate statistics is OK where they'd be trepidatious about any other data collection. Without robust studies showing this to be true I very much doubt it. Users are not much impressed by facts, their gut feeling is that collecting data violates their privacy and the facts won't change that feeling. > So, mdsp folks and root programs: Can a CA or a Subscriber > participate in the above system without violating the relevant > requirements? I'm not an expert, but I suspect the answer for a CA is that yes, they perhaps can BUT however they should not. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
