A quick note before I go off to work: I'm about to conclude that modifying draft 10 of the CA cert policy to mandate additional CA requirements is not going to work; in the words of the IETF we have neither "rough consensus" nor "working code".
working code? We have plenty of working code. No additional working code is needed to place a "floor" on CA requirements.
> Therefore I'm at present planning to move forward as follows:
I'm going to use draft 10 as a base, with the following proposed additions:
* Modify clause 6 ("We require that all CAs...") to add a final paragraph as follows (or make this a new clause 7):
In addition, we reserve the right to not include a CA's certificate(s) in cases where we believe that doing so would cause undue risks to users' security *or* cause technical problems with the operation of our software.
* Add a new clause 12 as follows:
12. We will appoint one or more persons to make decisions on our behalf to evaluate CA requests and make decisions regarding them. CAs or others objecting to a particular decision may appeal to mozilla.org staff, who will make a final decision.
Language needs to be tweaked for style, etc., but this should give you the general idea.
The underlying idea here is that IMO it will be difficult, nay impossible, to write and (especially) implement the policy without making subjective decisions, either in general or about a particular CA.
Well, it seems that after a year, we've come full circle. IIRC, one of the reasons for adopting the webtrust model in the first place was to get mozilla OUT of the business of making subjective decisions. Why do you now wish to reverse that?
In particular, I intend the added language in clause 6 to address the concerns of Nelson and others about rogue or incompetent CAs "slipping through" based on meeting the mere letter of the requirements (e.g., a CA with an extremely loose CPS attested to by an auditor willing to take the money and run,
Nothing I've ever read about WebTrust audits (or heard from people I know who have undergone them) suggests that WebTrust has any "floor" of requirements. The CA states its policy, and the auditor attests that it meets its policy. I've heard that if a CA has no stated policy on certain issues, the auditor may request/require that the CA write one, and then check to see that it is followed. But nothing I've heard says that the auditor can impose a minimum policy.
The phrase "take the money and run" might apply to an auditor that failed to hold a CA to its own policies, but not to an auditor who rightly attests to a CA that does adhere to its own policies, no matter how low they may be. In the absence of a floor, for an auditor to withhold attestation when a CA does meet its own policies would probably be an "actionable" offense.
You wonder if this is merely a "good thing" or if there is real cause for concern. There is real cause for concern. I will write you privately about it.
> or a CA that generates certs that crash or otherwise hork up our software).
Yeah, it's good to have an out for that. :-)
However if you're going to introduce subjectivity (which I think is inevitable)
I don't see it as inevitable. Impose a floor, an objective one. You've proposed one, described as "the LCP from TS 102 042". I've not seen that document, so I cannot speak to its suitability, but if you think it meets my concerns, I'd say we should use it as a starting point for the floor.
then IMO you also have to accompanying that with transparency and accountability, so that a) you know what's going on with regard to the decisions that are taken, and b) you have a channel to make complaints if you think a decision was botched.
Well, that's probably a good idea whether or not there is subjectivity.
(In practice we should add a link to some other page like the module owners page to identify the actual person making decisions, whether me or someone else.)
Also a good idea.
That's it for now. My plan is to make the above changes in draft 11 (tmomorrow if I have time), and then submit that to the Mozilla Foundation for final approval a day or two after that.
I will write you privately about my motivation for wanting a floor..
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
