On 5/2/09 15:03, Frank Hecker wrote:
... For example, suppose a CPS said something like "Causes for
certificate revocation include ... compromise of the private key". This
leaves it somewhat unclear whether the CA can unilaterally revoke or not.
Right. The question is not whether the CPS includes something about
private keys, but how the CPS says that revocation is decided upon.
Let's try this test. Say we have a statement that says:
CA revokes when the private key is compromised.
This is only half the answer, because now we need to know how the CA
knows it has been compromised. If you want, you can go down the
rabbithole of defining compromise ... which only takes us to the
question of how we know that the definition has been tested.
At a conceptual or governance level, we are trying to be too
Preventative, which is to say, make it all perfect up front. We are
ignoring the Corrective side, which is to say, we are forgetting that
things break and have to be repaired later. (This character flaw is
probably a reflection of the cryptography background, where things that
are not perfect are sinful.)
The business of CAs has only a little to do with crypto, and a lot more
to do with other things, none of which are as perfect as crypto.
The question then, is how the CA decides, when something is claimed to
be wrong? The normal business thing would be for the CA to include in
its agreement (CPS or whichever) that the CA can decide at its own
discretion. This is either done by a simple means, "CA decides at own
discretion" or the complicated means of including so many clauses that
there are plenty of ways to apply discretion.
Then, it is no longer ambiguous. This still leaves Kyle's objections of
"I don't trust that discretion" ... but it is unambiguous in the sense
that the same person who says "this is you" also says "this is no longer
you."
iang
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
