On Sun, Feb 20, 2022 at 9:07 AM Ryan Sleevi <[email protected]> wrote: > > The goal is to protect users, not "fairness". Transparent, consistent > processes, aligned with the policy objectives, but that does not mean a > dispensation towards assuming inclusion, or that "If you did the work, and > got an audit, you should be trusted". This process is one of risk management, > and that cannot and should not be abdicated. > > Had Certainly not applied for a Root Inclusion, I would be actively > encouraging that the request be rejected entirely, precisely for the same > reasons here: the risk of a subordinate is indistinguishable to end users > from that of a root, while the risk to the process and policies is even > greater. The march has been towards containing that risk, and, consistent > with concerns raised about delegating trust to third-parties such as > governments, not one that should be lightly abdicated, least of all because > "of a misguided goal to fairness over security.
I fully agree that we should not prioritize fairness over security, but I have to disagree that this should be rejected if there was not already a root inclusion request. If the security risk was so great, then why does Mozilla policy not simply prohibit new Externally Operated Subordinate CAs that are Not Technically Constrained? Eight months ago, in July 2021, the last time this topic came up, two different people suggested simply prohibiting the practice[1][2]. However Mozilla decided to not do so and instead opened a Policy 2.8 topic on the process to approve issuance [3] and updated the Mozilla wiki in December 2021. While I hope we can all agree that revisiting policy is necessary as we learn new things and technology changes, I do not think that anything notable has changed in the last two to eight months that suggests this request represents a new security risk compared to what could be reasonably envisioned when this was last discussed. I do not think this request, or other requests for a new Externally Operated Subordinate CA, should be rejected or accepted based on whether the CA operator is applying for inclusion of a root CA they operate. Thanks, Peter [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/AA5G1bzOwZQ/m/-L7Q_bdABQAJ [2] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/AA5G1bzOwZQ/m/mS5rard2BQAJ [3] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/zBGXSngpwWw/m/aIm4sKXyAAAJ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND9SfwmUD2nn9nOqN1M5eo8Qczh-qT%3DcSYuq2p6fZ2igFw%40mail.gmail.com.
