On Wed, Dec 18, 2024 at 09:17:45AM -0800, 'Ben Wilson' via [email protected] wrote: > As part of the discussions on this proposal, namely that CAs “maintain and > test mass revocation plans annually, including the revocation of 30 > randomly chosen certificates within a 5-day period,” I’ve received a few > comments via private channels, and to ensure transparency and foster > discussion, I am sharing them here anonymously: > > 1. “Mozilla does not grant exceptions…” -- this is the most important > signal that Mozilla can provide.
This has been fairly unambiguous from my perspective, and yet it appears that this wording has been open to misinterpretation. > 2. If certificate consumers want to prohibit delayed revocation, then they > need to make it clear to CAs that they won't accept it and that they will > kick them out of the root stores if they still do it. Don't try to solve > this issue with indirect measures like random revocations. Just be straight > about it and make it clear that there will be consequences for the very > first delayed revocation and onward. I do believe that clearly spelled-out consequences for non-compliance would go some way to encouraging good behaviour. The current approach, where non-compliance may or may not have any repercussions for the CA, doesn't help those within the CA who are fighting the good fight to push back against terrible ideas. "It might lead to bad things happening" is a very weak argument compared to "if we do this, Mozilla will definitely remove us from their trust store". > 3. We will face big problems in revoking productive customer certificates > just to test our mass-revocation plan and procedures. Our current customer > contracts do not foresee this. While we can revoke at any time for security > or compliance reasons, What is "Mozilla makes us revoke 30 randomly-chosen certificates, RNJesus has decided that today's your turn in the barrel" if not a compliance reason? > 4. This part of the proposal should occur within the CA/Browser Forum > through amendments to the TLS Baseline Requirements, and not via Mozilla > Root Store Policy. ... so that all the CAs can vote against it and kill it. As the name suggests, *Baseline* Requirements are the very lowest common denominator that all parties are willing to accept; hog-tying one trust store that wishes to innovate is completely unacceptable. > 5. Why was the number 30 chosen as a sample? Some CA operators issue very > few certificates, while some CAs issue millions of certificates. I was considering responding to this part of the original proposal, to suggest "30 or 0.N% of annual issuance volume, whichever is lower" type of language, but when I thought about it further, if an entire CA is issuing so few certificates that revoking 30 is an unreasonable burden, I'd be very concerned about their operational practices in general, given how little practice they get with them. On the subject of the selection of certificates, I'd like to echo the other comments expressing concerns about the degree to which CAs might seek to "game" the random selection. It's one of those "it's too easy to do, and too hard to get caught" situations where shenanigans (or even the appearance of shenanigans) like to live. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5475a38b-b055-4f99-8c43-0213687cfd7e%40mtasv.net.
