Re: Requirements for CNNIC re-application

2015-05-22 Thread Eric Mill 
On Fri, May 22, 2015 at 5:15 PM, Kathleen Wilson kwil...@mozilla.com
wrote:

 On 4/7/15 5:31 PM, Richard Barnes wrote:


 5. April 1, 2016 is the earliest date at which CNNIC may apply for full
 inclusion, so SSL certificates issued after Apr 1 2015 for new domains will
 be recognized.


Do you mean will *not* be recognized?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Requirements for CNNIC re-application

2015-05-22 Thread Kathleen Wilson 

On 4/7/15 5:31 PM, Richard Barnes wrote:

As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they were
issued before 1 Apr 2015.  CNNIC may reapply for full inclusion following
the normal process, along with any additional steps that this community
decides to require of them.  The purpose of this thread is to discuss what
additional steps, if any, we should require.

CNNIC has already provided Mozilla with a list of certificates issued
before 1 Apr 2015.  We are working on publishing this list.  CNNIC has also
informed Mozilla that they plan to take the following steps:
snip

[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/qPcyC_DWlSwJ
[2]
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
[3] http://tools.ietf.org/html/rfc6962




Here is my interpretation of the result of this discussion, and what I 
should communicate to CNNIC...


CNNIC may re-apply for full inclusion following the normal process, 
after they have completed the following additional steps.


1. Provide a list of changes CNNIC has implemented to ensure that there 
are no future violations of Mozilla Policy and the Baseline Requirements.


2. Improve CNNIC’s process for authorizing intermediate CAs, and fully 
document this improved process in the CP/CPS.


3. Include in this year's WebTrust audit an explicit confirmation by the 
auditor that these changes have been implemented and enforced.


4. Provide auditor attestation that a full performance audit has been 
performed confirming BR compliance according to 
https://wiki.mozilla.org/CA:BaselineRequirements


5. April 1, 2016 is the earliest date at which CNNIC may apply for full 
inclusion, so SSL certificates issued after Apr 1 2015 for new domains 
will be recognized.


Please reply if I've missed anything that needs to be added to this list.

Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Name-constraining government CAs, or not

2015-05-22 Thread Gervase Markham 
On 21/05/15 13:56, Peter Kurrasch wrote:
 ‎‎Returning to your original post, Gerv

Thank you :-)

 So here is where the difference really lies between government and
 commercial CAs: control. Governments and, therefore, government CAs
 wield a level of control that commercial entities normally do not. They
 have the power to control who is allowed access to web sites that talk
 about evolution or climate change or plans for citizen uprisings. They
 have the ability to send agents to your home and harrass you for
 engaging in immoral acts over the internet.
 
 The power is genuinely immense, and since there is so much more at
 stake, the security analysis must be considered differently than for
 commercial CAs.

Other things governments have the power to do, which are relevant:

1) Mandate that all government websites (which, these days, citizens
   often have no option but to use) use a particular CA, such as their
   own;

2) Mandate that all websites hosted in their country use a particular
   CA, such as their own;

3) Compel a CA within their borders to issue a certificate, and not
   tell anyone.

1) and 2) are reasons why commercial pressures do not apply to
government CAs. 1) actually seems a reasonable thing for a government to
do - and it's one big reason why we have governmental CAs in the program
in the first place. 2) is, to my mind, not reasonable.

3) is sometimes given as a reason why government CAs are not all that
different from commercial CAs - if a government CA can't misissue a
cert, they can just compel a CA to do it for them, so what's the
difference?. But I think there are several differences:

* Not all governments have the power to compel silent cert creation
  (some governments still have some ideas about civil liberties);

* Most governments do not host a CA within their borders;

* For those which do, there is sometimes a defence of severe hardship;
  if the CA knew its business would be blown up were the misissuance
  discovered, it could argue against being compelled to do so.

So while it may be possible to find a jurisdiction where there is no
effective difference between a government CA and a commercial CA hosted
there, I would say this is not true for the large majority of jurisdictions.

 2) If it is different, does name-constraining government CAs make
 things better, or not?
 
 One situation that is addressed by name constraints is that today it's
 generally possible for any CA to issue a cert for any domain. In the
 context of a security analysis that's problematic which is why name
 constraints has its appeal.
 
 Combine that with the power of governments and add a dash of crime show
 drama cliché: motive, means, opportunity. ‎The desire--or, perhaps,
 need--to institute controls gives governments the motive. The extent to
 which governments own/operate/control the internet infrastructure (or
 other access to web sites) and are able to issue certs provides the
 means. And if any CA can issue any cert the opportunity is always there.

This is a relevant point. Without even considering motive, governments,
as opposed to commercial CAs, generally have both means and opportunity
to do MITM attacks on their citizens. A commercial CA generally does
not, although that's not entirely true, as some organizations which
control significant bits of internet infrastructure are also CAs or subCAs.

 So if a decision is made to require name constraints by a government CA
 that would have the benefit of limiting the opportunities for bad acts.
 Absent that, are there other mechanisms worth considering that would
 have a beneficial impact on the motive, means, opportunity formula? One
 example that comes to mind is separating cert issuance with control of
 the infrastructure. 

I can see the superficial attractiveness of this, although I think that
it would have significantly greater definitional issues than what is a
government CA? How do you decide whether a company has enough control
of infrastructure that they can't be a CA? Do you consider local or only
international factors? What if they are a CA, and they grow - do you
have to stop trusting them? And so on.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy