On 11/18/2008 08:12 PM, Frank Hecker:
Not to speak for Ian, but I interpreted his comments as follows: We can
add more provisions to the policy to address particular situations, but
what do we ultimately gain in terms of enhanced security for end users?
It's like adding more and more provisions to laws or regulations in
order to cover special cases, to close loopholes, and so on. Is the
extra complexity (in terms of writing the laws and regulations,
interpreting them, enforcing them, etc.) worth the trouble? And in our
case we have to remember that me, Kathleen, and others don't have
infinite time and resources at our disposal.
With more users and more CAs grows the responsibility. That's natural.
You might need to request more resources, I don't know.
However, my point is simply, that something central and principal as the
audit requirement isn't something we should compromise on. Basically the
policy has a few major requirements of
- domain validation,
- email validation,
- identity/organization validation for code signing,
- relevance to the typical user,
- accepted norms of CA management, controls, etc. (covered by WebTrust,
ETSI)
- audit requirement.
There is a loophole as you call it, it's been something of concern to me
what sub ordinate or cross signed CAs concerns and something admittedly
not foreseen. This issue stands out from all other "problematic
practices" IMO, because it may effectively circumvent all principal and
basic requirements from above.
What I suggest to change is, that the audit MUST cover the full PKI
infrastructure and that CAs external (physical and logical) must be
audited (with the parent CA or independently).
This wouldn't prevent CAs like GlobalSign to cross and sub sign external
CAs in order to facilitate better coverage. Please note that GlobalSign
apparently does exactly that (signing WebTrust audited CAs).
It is easy to implement and govern, easy to understand and easy to
detect. I don't anticipate any implications nor higher overhead than
currently. Kathleen does that excellent, btw...
If it's worth the trouble? You'll know only after you've got CAs trusted
in NSS which never should have been there in first place. Mozilla
doesn't have to facilitate a specific business model unique to some CAs,
but *ensure the basic adherence to proper functioning of PKI and
reliance in relation to its software*!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
