(following is just for the record so as to deal with the response. No
new info is in here for other readers.)
On 28/12/08 14:21, Eddy Nigg wrote:
On 12/28/2008 02:46 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we would call in
business circles a plausible bankrupcy event.
Not relevant.
Well! If they are not relevant, then perhaps we can turn SSL off, with
no consequences?
I suggest to you refrain from now on to give legal advice on these
matters, Mozilla has a legal department and lawyers for that. But if we
are at it,
Let's deal with this self-contradictory statement.
To ignore the obvious legal ramifications (agreements in RPAs,
disclaimers to end-users, potential lawsuits ...) would be negligence, IMHO.
We know the ramifications exist. We know they may be serious. We know
that assertations of security are being made to end-users. Hence to
continue making these assertations, and not treat them seriously would
be negligence.
I personally choose not to follow that path into negligence, and will
continue to consider the legal ramifications, which leads to the
question of how we consider them.
We could simply refer them to the legal department, as you suggest.
Mozilla has a legal department, as you kindly point out, but they are
silent. They may have entirely good reasons for being silent, but that
makes them more or less useless for the work of this forum. So
referring them to that legal department is not an option for now.
We could simply refer them to our own legal department. But, we are all
here as volunteers, and while some of the businesses may like to put
their counsel at the service of this group, this won't work because of
conflicts of interest. This is therefore not an option.
Which leaves the final option: we have to deal with it, ourselves, and
we have to work with the known and understood caveats that none of us
are lawyers.
Others may have other views, but I would suggest that in this forum, we
have to consider the legal ramifications.
Mozilla has no legal or any other requirement (as far as I
know) to include or keep a root.
No, I'm afraid there is an agreement to list the root, under a policy.
Once listed, Mozilla has to operate according to its side of the bargain.
This is a general consequence of business, there is nothing special
about it. Ask any experienced business person.
The Mozilla CA Policy clearly reserves
the right to remove any of the roots (including all of them) at any
time. If this isn't the case we all should know about it.
The problem being, that even if it reserves the right to make a choice
for any reason, this does not give Mozilla carte blanche. If it makes a
bad choice, a judge can imply a "reasonableness" test.
This is one of those areas where we really do need lawyers in the
conversation, but I will short circuit that with a prediction of mine, only:
the lawyers will likely say, "we will find out in court."
Great answer, huh? It sure keeps the lawyers in work, and it provides
little help for us. See earlier analysis.
Additionally
it's Mozilla which also has the right to sue the CA and not the other
way around. Just for your knowledge, Microsoft and other vendors reserve
the same right.
Everyone has the right to walk into court. That point is empty of
practical value.
3. Industry: All other CAs will lose because they will now have to
include in their business plans the possibility of a root being dropped
by a bad decision.
Very good! Even though I'm not the proponent of the proposal to remove
Comodo's root (instead work towards a real improvement, with the removal
as a stick), this is exactly what possible removal should achieve.
Please read it carefully. a root being dropped by a BAD decision.
Refrain CAs from making bad decisions.
Oh, ok. No, I meant MOZILLA making a bad decision. E.g., a mistake.
More than that, some CAs are on
disadvantage when competing with CAs which are willing to take high
risks. This must be clearly recognized and I'm all in favor of having to
compete on equal footing. This isn't the case today.
Indeed. You won't achieve it by dropping a root, and you won't achieve
it by _threatening_ to drop a root.
I suggest you will achieve precisely the reverse, because some CAs will
have an advantage in that negotiation, and they will overcome any
positive benefit in a way that has little bearing on security for the users.
Standard business stuff, really.
4. Security will go down, because less certs are delivered and in use.
(It's hard to calculate the secondary losses here, but not impossible.)
That's easy to revert, I'm certain there are a bunch of CAs ready to
issue new certs to them.
That's hopeful marketing talk, not security analysis!
1. Against that you can weigh the damages done so far and the harm to
protect against. We know it is down to 11 or so certs, all revoked.
That's absolutely not correct. Right now nobody knows - including Comodo
- how many certs are really unvalidated because of the lack thereof.
They stated how many, IIRC. I recall it was something like 111 certs
issued and 11 outstanding that had not been re-verified within around 48
hours (these numbers are not accurate, but indicative) and were
therefore revoked.
Are we disputing their stated claims? Or are you making a wider claim
that their entire cert base is unverified? Or?
This is what I know at the moment and it would be good if Comodo could
dispute that claim and advice differently or confirm it.
2. There is the possible benefit to the other CAs as a punishment tool,
in the case where the decision is good (see 3. above). There could be a
knock-on effect in convincing CAs to tighten their game.
Right! I'm all in favor of that, lets go for it!
Well, that is the expectation of some people. I suggest it is
hopelessely unfounded, in business terms, and may achieve more damage
than good.
However, this
needs to be balanced against other costs and loss of certs, and in
practice, the dominant factor is this: more certs is more security, less
certs is less security.
Less unvalidated certs is more security, not less. An unknown number of
unvalidated certs is no security at all.
Yes, we are now getting into the difficult area of estimating the
overall benefit of different models of security. This game is well
known to be controversial. Let's leave that aside for now.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
