Some immediate feedback: network surveillance; or
What about security firms that also provide MSP/etc and do network surveillance for customers of customer networks? Ditto for: cyber espionage. E.g. Verisign bought iDefense back in the day, iDefense did cyber espionage of bad people (dark web/boards/etc). I assume any of these security firms with "intelligence" or "dark web monitoring" are still doing this. Also the following are fairly subjective: The CA operator has done any of the following: Mis-issued a large or unknown number of end-entity or intermediate certificates that they are not able to enumerate; What if they miss issued 10 certs? Out of 20? Out of 20,000,000? Maybe some language around percentages? One idea: why not require CA's to report every misssued certificate to the CCADB, that would give you some data to work of off, e.g. what is a normal amount of mistakes and who are the outliers, good and bad? Cn we maybe get some data from letsencrypt? They issue a lot of certs are apear to care about transparency and security. Deliberately violated Mozilla's Root Store Policy or other applicable policy; or Lied, concealed, or failed to disclose the full extent of a problem. This language is problematic. "We didn't lie, we misspoke". Maybe "appear to have" so we're dealing with what we saw happen, and we don't have to figure out intent. This one: The CA’s provided address is a mail drop, rather than an office. Is hard to determine, maybe language like "an address shared with numerous other companiesentities" (e.g. shell corporate registry), but what about P.O. boxes? I think this is a good one: - The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store. Again problematic language/intent: - The CA's representatives are evasive on matters such as legal domicile and ownership. I would suggest "not fully transparent", put the onus on them to be honest, not for us to catch them being dishonest. Also more detail: The CA has physical, monetary, or business nexus to a government of a country that E.g. what about owners/owning corporations? "The CA and owning entities, recursively until some end is encountered" I would also note that CA's shoudln't be hidden in/part of horribly complex legal/business structures, that's a red flag. Ah I see later: - The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage. - The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government. I think "owning entities" is probably a better term as it's generic but I would suggest consulting a lawyer at this point for the correct term. Also some definition of - Has gaps between audit periods. E.g. what constitutes a gap? On Tue, Jan 31, 2023 at 1:16 PM Kathleen Wilson <[email protected]> wrote: > All, > > I will greatly appreciate your feedback on the following new wiki page. > > https://wiki.mozilla.org/CA/Root_Inclusion_Considerations > > As you all know, sometimes we have very difficult decisions to make in > regards to new inclusion or continued inclusion of root certificates in > Mozilla's root store. With this new wiki page I am hoping to make such > difficult root inclusion decisions more deterministic. Hopefully it will > help the next time we have a difficult discussion about a CA who is > currently in Mozilla's program. And hopefully it will enable us to decline > root inclusion requests before we even get to the public discussion phase > when the CA has participated in unacceptable behavior or has a multitude of > concerning behaviors. > > Thanks in advance for your thoughtful and constructive consideration. > > Kathleen > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b0e3c58a-26b1-430c-9aeb-7763bdda6345n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b0e3c58a-26b1-430c-9aeb-7763bdda6345n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_p9GMJOMbdc%3D4NEMikcHe5K26U8yer1%3DK%3DM6Uwc-MsLA%40mail.gmail.com.
