On Thu, May 4, 2017 at 11:30 PM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Gerv, thank you for your draft proposal under consideration. We have posted > our comments and detailed information at: > https://www.symantec.com/connect/blogs/symantec-ca- > continues-public-dialogue (Posting in my personal capacity.) Symantec says that Google's and Mozilla's proposals to impose a shorter certificate lifetime will harm their CA business and cause customers to move to other CAs. The last time that Symantec was targeted for selective technical enforcement was when Google imposed a CT requirement on Symantec-issued certificates. Symantec had already set up a CT log and advocated for an ecosystem-wide CT requirement before then, and responded to Google's requirement by continuing this advocacy. But in this case, Symantec is rejecting the premise and stating that to impose a 13-month limit industry-wide would require automation and not be feasible for enterprises, and lead to increased operating costs: We also do not believe that a 13-month validity limit should be imposed on the CA industry *at this time* – a conclusion that is reinforced by the recent CA/Browser Forum vote rejecting ballot 185, which proposed to limit the maximum validity of SSL/TLS certificates issued by all CAs to 13 months. As we have stated in our public response, many enterprises are not at the level of automation maturity necessary to practically and cost-effectively adopt shorter validity certificates. For these organizations, standardizing on shorter validity certificates would present substantial increases in their operating costs. I believe that Symantec's assessment of this issue, expressed in this post and in their public voting statement on Ballot 185 [1], is seriously mistaken. While it's certainly true that enterprises would experience some pain and cost, Symantec states that 13-month certificates would either require automation to use, or would create such a workload increase that IT shops would have to hire staff. This is unpersuasive, as Mozilla and Google and others (myself included) have tried to communicate throughout the various discussions on this issue since January. Everyone has recognized that a decrease to 90-day certificates would likely create such a situation. However, as someone who has worked in very large enterprises myself, I do not believe that moving to an annual renewal schedule is infeasible for the enterprise community to handle. Yes, it will cost them something, but the organizations that feel the pain most acutely will logically be the largest ones -- and the largest enterprises will also have the resources to respond appropriately. As importantly, Symantec should be embracing changes that move enterprise customers along the path towards automation. My experience is that the lack of progress on automation is one of the most toxic and self-destructive features of the enterprise IT sector. At scale, a reliance on error-prone and unscalable human processes for basic infrastructure maintenance is a massive contributor to defense being so much more expensive than offense today. Symantec's current proposal and blog post indicate that they are working to create automation-friendly options for customers, but that's not nearly sufficient to motivate the industry to change their behavior. I believe that if Symantec changes their attitude and puts their full weight behind shorter-lived certificates, it would indicate: * A recognition that technical controls are superior to policy controls, especially when a CA is of such a significant size that reliable policy control enforcement becomes expensive. * An understanding that Symantec's enterprise customers will always push back on changes that create more work for them, but that Symantec's goal of being an industry leader requires Symantec to lead their customers rather than to follow their instructions. * A belief that automation by default, on the part of both CAs and their customers, is a collective action problem that is worth challenging the industry to solve. Those are the kinds of indicators that Mozilla and Google tend to weight favorably in assessing the likelihood of future risk to users from a CA's practices. So, I suggest that Mozilla and Google consider offering to drop the portions of their proposals that limit Symantec's certificate lifetime, if Symantec commits to supporting an industry-wide reduction in certificate lifetimes to 13 months. A commitment like this could take several forms, but to me it might look like: * Symantec publicly and privately asking the browser programs to impose an industry-wide reduction by a reasonable date, whether or not a majority of browsers support it, and whether or not 2/3 of CAs support it. * Symantec proposing a ballot to impose this through the CA/Browser Forum's Baseline requirements. * Symantec immediately beginning to communicate to their customers the positive security benefits of moving to 13-month-or-less certificates, and Symantec's clear expectation (and support for) this to happen industry-wide in the near future. This would remove the aspect of the proposal most likely to create competitive impacts to Symantec's business, and significantly easing the path towards reducing certificate lifetimes. Even though Symantec isn't handling this crisis of confidence well, I believe the intent of Symantec's employees is good -- that they are there to do more than just make money, and want to make the world a more stable and secure place. However, the identified issues and Symantec's responses suggest that their business incentives are not well-aligned with this goal. Given Symantec's resources and reputation, I believe Symantec reconsidering their stance on short-lived certificates would be a meaningful way for Symantec to address that misalignment, and I suggest that browsers open this path for them to take. -- Eric [1] https://cabforum.org/pipermail/public/2017-February/009701.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy