On Thu, 29 Oct 2020 11:06:43 -0700
Jacob Hoffman-Andrews via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:

> I also have a concern about ecosystem impact. The Web PKI and
> Certificate Transparency ecosystems have been gradually narrowing
> their scope - for instance by requiring single-purpose TLS issuance
> hierarchies and planning to restrict CT logs to accepting only
> certificates with the TLS EKU. New key distribution systems will find
> it tempting to reuse the Web PKI by assigning additional semantics to
> certificates with the TLS EKU, but this may make the Web PKI less
> agile.

This is my main concern too.

I think this is something I would be annoyed to discover some CA has
decided it's allowed to do, even if I wasn't able to come up with a
tortured rationale for why it's prohibited. "It wasn't prohibited" is
not the standard Mozilla asks root programme participants to aim for.
So since I'm being asked, no, I think this is a bad idea.

If we were talking about a subscriber it seems obvious that ISRG needn't
try to police what they get up to, but ISRG itself is different.

> I've discussed the plan with Apple, and they're fully aware this is an
> unusual and non-ideal use of the Web PKI, and hope to propose a
> timeline for a better system soon. One of the constraints operating
> here is that Apple has already shipped software implementing the
> system described above, and plans to use it in addressing our
> current, urgent public health crisis. As far as I know, no publicly
> trusted Web PKI certificates are currently in use for this purpose.

The problem with such timelines is they are too often wishful thinking.
Once the immediate need abates, further action is de-prioritised and
often never happens at all. I suspect we've all experienced this.

ISRG could perhaps avoid that de-prioritization by committing up
front to ceasing the "unusual and non-ideal use" by some specific point
in time agreed with Apple, I don't know whether Apple would be at all
interested in doing that, but it might be enough to ensure that
resources remain properly focused on actually deploying the "better
system" in a timely fashion.


This "urgent public health crisis" is presumably the COVID-19
pandemic. Action in November 2020 or later hardly seems an "urgent"
response to the pandemic and at this point it seems clear that mostly
what matters is political direction rather than IT innovation.

That is to say, I think New Zealand has elimination whereas the USA
has tens of thousands of new cases every day because New Zealand's
political leadership pursued an elimination strategy and the American
government did not, rather than because the NZ COVID Tracer app is
markedly better than similar American software.


Back to the application. I think the desire here is to have
anonymisation because intellectually it seems as though users would be
satisfied that collecting anonymised aggregate statistics is OK where
they'd be trepidatious about any other data collection. Without robust
studies showing this to be true I very much doubt it. Users are not
much impressed by facts, their gut feeling is that collecting data
violates their privacy and the facts won't change that feeling.


> So, mdsp folks and root programs: Can a CA or a Subscriber
> participate in the above system without violating the relevant
> requirements?

I'm not an expert, but I suspect the answer for a CA is that yes, they perhaps 
can
BUT however they should not.


Nick.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to