subject:"Policy 2.6 Proposal\: Updated criteria for including new CAs based on recent discussion"

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-23 Thread Wayne Thayer via dev-security-policy

I've made the additional change proposed above to the 2.6 branch:
https://github.com/mozilla/pkipolicy/commit/13ce71ab3936e721236b8c9f8753f253fb7f3750


On Tue, Mar 20, 2018 at 2:23 PM, Ryan Sleevi  wrote:

> Ah, good point. Yeah, I think that's a perfectly reasonable change.
>
> On Tue, Mar 20, 2018 at 2:45 PM, Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi  wrote:
>>
>> >
>> > So, one aspect of this is the recently discussed risk - that is, a CA
>> that
>> > provides value for only 10 users presents a substantial amount of risk
>> to
>> > all Mozilla users, for both compromise and non-compliance. This is,
>> > admittedly, a subjective evaluation - but then again, so is trust. I'm
>> > curious whether the current "typical" language serves to establish a
>> > baseline bar for assesing the risk - that is, a CA that issues only one
>> > certificate a year, used by 100 Mozilla users, seems like a substantial
>> > risk to all Mozilla users.
>> >
>>
>> Does the first sentence of section 7.1 address this concern? I proposed
>> [1]
>> removing "benefits and" so that it reads:
>>
>> 7.1 Inclusions
>> >
>> > We will determine which CA certificates are included in Mozilla's root
>> > program based on the risks of such inclusion to typical users of our
>> > products.
>> >
>>  In other words, the proposed change to section 2.1(1) does not exclude
>> roots that fail to meet the "relevant to typical users" bar, but section
>> 7.1 supports us in making decisions based on the risk to a typical user.
>>
>> - Wayne
>>
>> [1]
>> https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249
>> 800f40b0e7c00d0816ab77e7#diff-e516d71031639460d171d9f4d04a005b
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-20 Thread Ryan Sleevi via dev-security-policy

Ah, good point. Yeah, I think that's a perfectly reasonable change.

On Tue, Mar 20, 2018 at 2:45 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi  wrote:
>
> >
> > So, one aspect of this is the recently discussed risk - that is, a CA
> that
> > provides value for only 10 users presents a substantial amount of risk to
> > all Mozilla users, for both compromise and non-compliance. This is,
> > admittedly, a subjective evaluation - but then again, so is trust. I'm
> > curious whether the current "typical" language serves to establish a
> > baseline bar for assesing the risk - that is, a CA that issues only one
> > certificate a year, used by 100 Mozilla users, seems like a substantial
> > risk to all Mozilla users.
> >
>
> Does the first sentence of section 7.1 address this concern? I proposed [1]
> removing "benefits and" so that it reads:
>
> 7.1 Inclusions
> >
> > We will determine which CA certificates are included in Mozilla's root
> > program based on the risks of such inclusion to typical users of our
> > products.
> >
>  In other words, the proposed change to section 2.1(1) does not exclude
> roots that fail to meet the "relevant to typical users" bar, but section
> 7.1 supports us in making decisions based on the risk to a typical user.
>
> - Wayne
>
> [1]
> https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249800f40b0e7c00d
> 0816ab77e7#diff-e516d71031639460d171d9f4d04a005b
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-20 Thread Wayne Thayer via dev-security-policy

On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi  wrote:

>
> So, one aspect of this is the recently discussed risk - that is, a CA that
> provides value for only 10 users presents a substantial amount of risk to
> all Mozilla users, for both compromise and non-compliance. This is,
> admittedly, a subjective evaluation - but then again, so is trust. I'm
> curious whether the current "typical" language serves to establish a
> baseline bar for assesing the risk - that is, a CA that issues only one
> certificate a year, used by 100 Mozilla users, seems like a substantial
> risk to all Mozilla users.
>

Does the first sentence of section 7.1 address this concern? I proposed [1]
removing "benefits and" so that it reads:

7.1 Inclusions
>
> We will determine which CA certificates are included in Mozilla's root
> program based on the risks of such inclusion to typical users of our
> products.
>
 In other words, the proposed change to section 2.1(1) does not exclude
roots that fail to meet the "relevant to typical users" bar, but section
7.1 supports us in making decisions based on the risk to a typical user.

- Wayne

[1]
https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249800f40b0e7c00d0816ab77e7#diff-e516d71031639460d171d9f4d04a005b
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-20 Thread Ryan Sleevi via dev-security-policy

On Mon, Mar 19, 2018 at 6:26 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> A few months ago, we discussed our root inclusion criteria [1], and came to
> a conclusion that I summarized and proposed in policy as follows:
>
> I would like to thank everyone for your constructive input on this topic.
> > At the outset I stated a desire to ‘establish some objective criteria
> that
> > can be measured and applied fairly’. While some suggestions have been
> made,
> > no clear set of criteria has emerged. At the same time, we’ve heard the
> > argument that our time would be better spent on raising the bar for all
> CAs
> > in the program, regardless of their subjective value to typical users of
> > our products.
> >
> > Some thought was also given to applying unique technical criteria to new
> > CAs, such as limiting certificate lifetime to 90 days or requiring ACME
> > support. It was pointed out, however, that this favors incumbents and
> > doesn’t drive improvement in the overall ecosystem.
> >
> > The conclusion from this discussion is that we will not attempt to
> restrict
> > organizations from participating in the Mozilla CA program based on a
> > judgement of their value to our users. We will continue to require
> > applicants to demonstrate compliance with our policies, and reserve the
> > right to deny membership to any CA at our discretion, e.g. because they
> > have a documented pattern of misbehavior or we believe they intend to
> > violate our policies.
> >
> > Here is a proposed update to the Mozilla Root Store Policy reflecting
> this
> > decision:
> >
> > https://github.com/mozilla/pkipolicy/compare/master...
> > inclusion-criteria?quick_pull=1
> >
>
> Having just reviewed this again, I recommend that we also remove the word
> “typical” from section 2.1(1) of the policy that reads:
>
> CAs whose certificates are included in Mozilla's root program MUST:
> > 1. provide some service relevant to typical users of our software
> > products;
> >
>
> This is: https://github.com/mozilla/pkipolicy/issues/118 and
> https://github.com/mozilla/pkipolicy/issues/104
>
> [1] https://groups.google.com/d/msg/mozilla.dev.security.
> policy/GbXvh9ulboI/DWdJUc_cAQAJ
>
>
So, one aspect of this is the recently discussed risk - that is, a CA that
provides value for only 10 users presents a substantial amount of risk to
all Mozilla users, for both compromise and non-compliance. This is,
admittedly, a subjective evaluation - but then again, so is trust. I'm
curious whether the current "typical" language serves to establish a
baseline bar for assesing the risk - that is, a CA that issues only one
certificate a year, used by 100 Mozilla users, seems like a substantial
risk to all Mozilla users.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-19 Thread Wayne Thayer via dev-security-policy

A few months ago, we discussed our root inclusion criteria [1], and came to
a conclusion that I summarized and proposed in policy as follows:

I would like to thank everyone for your constructive input on this topic.
> At the outset I stated a desire to ‘establish some objective criteria that
> can be measured and applied fairly’. While some suggestions have been made,
> no clear set of criteria has emerged. At the same time, we’ve heard the
> argument that our time would be better spent on raising the bar for all CAs
> in the program, regardless of their subjective value to typical users of
> our products.
>
> Some thought was also given to applying unique technical criteria to new
> CAs, such as limiting certificate lifetime to 90 days or requiring ACME
> support. It was pointed out, however, that this favors incumbents and
> doesn’t drive improvement in the overall ecosystem.
>
> The conclusion from this discussion is that we will not attempt to restrict
> organizations from participating in the Mozilla CA program based on a
> judgement of their value to our users. We will continue to require
> applicants to demonstrate compliance with our policies, and reserve the
> right to deny membership to any CA at our discretion, e.g. because they
> have a documented pattern of misbehavior or we believe they intend to
> violate our policies.
>
> Here is a proposed update to the Mozilla Root Store Policy reflecting this
> decision:
>
> https://github.com/mozilla/pkipolicy/compare/master...
> inclusion-criteria?quick_pull=1
>

Having just reviewed this again, I recommend that we also remove the word
“typical” from section 2.1(1) of the policy that reads:

CAs whose certificates are included in Mozilla's root program MUST:
> 1. provide some service relevant to typical users of our software
> products;
>

This is: https://github.com/mozilla/pkipolicy/issues/118 and
https://github.com/mozilla/pkipolicy/issues/104

[1] https://groups.google.com/d/msg/mozilla.dev.security.
policy/GbXvh9ulboI/DWdJUc_cAQAJ

---

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

Re: Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

5 matches

Site Navigation

Mail list logo

Footer information