On 27/02/2019 01:31, Matthew Hardeman wrote: > I'd like to take a moment to point out that determination of the beneficial > ownership of business of various sorts (including CAs) can, in quite a > number of jurisdictions, be difficult to impossible (short of initiating > adverse legal proceedings) to determine. > > What does this mean for Mozilla's trusted root program or any other root > program for that matter? I submit that it means that anyone rarely knows > to a certainty the nature and extent of ownership and control over a given > business to a high degree of confidence. This is especially true when you > start divorcing equity interest from right of control. (Famous example, > Zuckerberg's overall ownership of Facebook is noted at less than 30% of the > company, yet he ultimately has personal control of more than 70% of voting > rights over the company, the end result is that he ultimately can control > the company and its operations in virtually any respect.) > > A number of jurisdictions allow for creating of trusts, etc, for which the > ownership and control information is not made public. Several of those, in > turn, can each be owners of an otherwise normal looking LLC in an innocuous > jurisdiction elsewhere, each holding say, 10% equity and voting rights. > Say there are 6 of those. Well, all six of them can ultimately be proxies > for the same hidden partner or entity. And that partner/entity would > secretly be in full control. Without insider help, it would be very > difficult to determine who that hidden party is. >
While the ability to adversely extract such information for random companies is indeed limited by various concerns (including the privacy of charity activists and small business owners), the ability to get this information willingly as audited facts is very common, and is something that (non-technical) auditors are well accustomed to doing. Thus root programs could easily request that information about beneficial ownership etc. be included as fully audited facts in future audit summary letters. Subject to an appropriate launch date so CAs and auditors can include the needed billable work in their WebTrust audit pricing, and actually perform this work (typically by sending relevant people from their business auditing sister operations to do this properly). > Having said all of this, I do have a point relevant to the current case. > Any entity already operating a WebPKI trusted root signed SubCA should be > presumed to have all the access to the professionals and capital needed to > create a new CA operation with cleverly obscured ownership and corporate > governance. You probably can not "fix" this via any mechanism. > > In a sense, that DarkMatter isn't trying to create a new CA out of the > blue, operated and controlled by them or their ultimate ownership but > rather is being transparent about who they are is interesting. > > One presumes they would expect to get caught at misissuance. The record of > noncompliance and misissuance bugs created, investigated, and resolved one > way or another demonstrates quite clearly that over the history of the > program a non-compliant CA has never been more likely to get caught and > dealt with than they are today. > - - - - > I believe the root programs should require a list of human names with > verifiable identities and corresponding signed declarations of all > management and technical staff with privileged access to keys or ability to > process signing transactions outside the normal flow. Each of those people > should agree to a life-long ban from trusted CAs should they be shown to > take intentional action to produce certificates which would violate the > rules, lead to MITM, etc. Those people should get a free pass if they > whistle blow immediately upon being forced, or ideally immediately > beforehand as they hand privilege and control to someone else. > > While it is unreasonable to expect to be able to track beneficial > ownership, formal commitments from the entity and the individuals involved > in day to day management and operations would lead to a strong assertion of > accountable individuals whose cooperation would be required in order to > create/provide a bad certificate. And those individuals could have "skin > in the game" -- the threat of never again being able to work for any CA > that wants to remain in the trusted root programs. > This proposal is disastrously bad and needs to be publicly dispelled by the root program administrators as quickly as possible for the following reasons: 1. Punishing all CA operations experts that worked at a failed CA by making them essentially unemployable for the failures of their (former) boss is unjust in principle. 2. If there is even a hint that such a policy may be imposed, every key holding CA employee at every CA will be under duress (by the root programs) to hide all problems at their CA and defend every bad decision and mistake of their CA for fear of becoming blacklisted. 3. People with direct key access are obvious targets of unlawful coercion, just like bank employees with keys to the vaults. We really don't want to publish a hit list of whom criminal gangs (etc.) should target with violence, kidnapping, blackmail etc. when they want to get malicious certificates for use against high value targets. 4. If a CA still practices the "off-site split key secret trustees" way of preventing root key loss, publishing the names of those trustees would defeat the purpose of that security measure. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy