Re: Chromium, EV, and CT
On 2014-08-13 02:04, Ryan Sleevi wrote: I just wanted to alert members of this list of a discussion that has been started on Chromium's ct-policy@ mailing list regarding Chromium's policies for requiring EV certificates be logged in Certificate Transparency Logs. Ben Laurie has started a discussion at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_p8zRz5Em3s/2_0r4YjRQ8sJ about whether or not CAs should be permitted to redact domain names when logging certificates. As you can see from Ben's analysis of the Baseline Requirements and EV Guidelines, this may affect the ability of the public to ensure that CA's are conforming to the EV Guidelines, and thus rely on audits to ensure this. My understanding is that this would only be fore precertificates and that the real certificates would contain the complete name. Are there reasons why the real certificate would not be part of the CT log? Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Chromium, EV, and CT
On 8/12/14, 9:43 PM, fhw...@gmail.com wrote: It is a separate discussion. I wanted only some sort of statement from Mozilla about time frames and anticipated functionalities, if there are any. Here's my understanding... There are folks at Mozilla who are closely following CT (RFC 6962). We are using CT data to study the CA ecosystem, and we plan to use CT data in further work to monitor BR compliance. I do not know of current work being done to enforce CT in Firefox. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Chromium, EV, and CT
I just wanted to alert members of this list of a discussion that has been started on Chromium's ct-policy@ mailing list regarding Chromium's policies for requiring EV certificates be logged in Certificate Transparency Logs. Ben Laurie has started a discussion at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_p8zRz5Em3s/2_0r4YjRQ8sJ about whether or not CAs should be permitted to redact domain names when logging certificates. As you can see from Ben's analysis of the Baseline Requirements and EV Guidelines, this may affect the ability of the public to ensure that CA's are conforming to the EV Guidelines, and thus rely on audits to ensure this. We welcome feedback from all parties, and are particularly interested to hear from those who would like to use the CT logs to better ensure compliance with Mozilla's policies and the competency of auditors, two very relevant discussions happening here. As it presently stands, Chromium's policy prevents such redactions. To help ensure everybody can participate, please avoid cross-posting, and instead comment on the original. Cheers! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Chromium, EV, and CT
Does Mozilla have a stated plan to include CT in its products? The issues Ben lists sound like reasonable concerns but it seems this is putting the cart before the horse. The linchpin of CT is being able to turn on hard-fail when the SCT is missing or doesn't agree with the logs--or whatever the case may be. I promise you that CT hard-fail will never happen because it requires CA's to be competent (some of whom genuinely are) or end entity cert holders to be interested (some of whom genuinely are) or both. It's just not the reality when you have a massive and complicated website deployment that people can or will be interested. There are too many moving pieces as it is. Should Chrome activate hard-fail you will start to hear people say, that site doesn't work on Chrome for some reason, just use Firefox or Safari or IE. Original Message From: Ryan Sleevi Sent: Tuesday, August 12, 2014 7:05 PM To: dev-security-policy@lists.mozilla.org Reply To: ryan-mozdevsecpol...@sleevi.com Subject: Chromium, EV, and CT I just wanted to alert members of this list of a discussion that has been started on Chromium's ct-policy@ mailing list regarding Chromium's policies for requiring EV certificates be logged in Certificate Transparency Logs. Ben Laurie has started a discussion at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_p8zRz5Em3s/2_0r4YjRQ8sJ about whether or not CAs should be permitted to redact domain names when logging certificates. As you can see from Ben's analysis of the Baseline Requirements and EV Guidelines, this may affect the ability of the public to ensure that CA's are conforming to the EV Guidelines, and thus rely on audits to ensure this. We welcome feedback from all parties, and are particularly interested to hear from those who would like to use the CT logs to better ensure compliance with Mozilla's policies and the competency of auditors, two very relevant discussions happening here. As it presently stands, Chromium's policy prevents such redactions. To help ensure everybody can participate, please avoid cross-posting, and instead comment on the original. Cheers! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Chromium, EV, and CT
On Tue, August 12, 2014 6:49 pm, fhw...@gmail.com wrote: Does Mozilla have a stated plan to include CT in its products? This is a separate discussion, and doesn't affect the ability of Mozilla using of CT logs to detect violations of Mozilla's inclusion policy. Obviously, CT in the client would be a win, but I think that even without such a plan in place, the CT logs provide a valuable tool in ensuring compliance, something that's unfortunately been lacking. The issues Ben lists sound like reasonable concerns but it seems this is putting the cart before the horse. The linchpin of CT is being able to turân on hard-fail when the SCT is missing or doesn't agree with the logs--or whatever the case may be. I promise you that CT hard-fail âwill never happen because it requires CA's to be competent (some of whom genuinely are) or end entity cert holders to be interested (some of whom genuinely are) or both. It's just not the reality when you have a massive and complicated website deployment that people can or will be interested. There are too many moving pieces as it is. â Should Chrome activate hard-fail you will start to hear people say, that site doesn't work on Chrome for some reason, just use Firefox or Safari or IE. As always, we welcome your feedback. However, this doesn't seem to relevant to the question/discussion at hand, nor does your potential future meaningfully affect the factors that weighing CT implementation. As it stands, both Mozilla Firefox and Google Chrome have shown that it is possible to improve the CA ecosystem over time, and with appropriate signals. Similarly, other efforts, such as http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html or new features such as ServiceWorker http://jakearchibald.com/2014/service-worker-first-draft/ , and normative requirements such as http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-9.2 , show that there are still opportunities to help encourage sites to adopt stronger security practices. However, that's all neither here nor there. This isn't and wasn't a post about hard-fail CT, but how CT can help Mozilla better regulate it's policies, and the interest in the community of being able to freely and transparently audit CAs to such conformance. Thus assume, if you will, a perfect world where CT was required and embraced by CAs. Would we want these features? Whether yea or nay, best to answer on ct-policy@. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Chromium, EV, and CT
It is a separate discussion. I wanted only some sort of statement from Mozilla about time frames and anticipated functionalities, if there are any. If the scope of CT is being narrowed to focus only on the use of log files as an auditing and compliance facility, that is something even I might agree with. As scoped out in RFC 6962, however, I would say the benefit to having CT in the browser is not even close to being an obvious win because the real world is not even close to the perfect world. There are just too many gaps. But, as you point out, no one at Google is interested in stopping just because I see its impact as falling short of the dream. I accept that. Original Message From: Ryan Sleevi Sent: Tuesday, August 12, 2014 9:06 PM To: fhw...@gmail.com Reply To: ryan-mozdevsecpol...@sleevi.com Cc: dev-security-policy@lists.mozilla.org Subject: Re: Chromium, EV, and CT On Tue, August 12, 2014 6:49 pm, fhw...@gmail.com wrote: Does Mozilla have a stated plan to include CT in its products? This is a separate discussion, and doesn't affect the ability of Mozilla using of CT logs to detect violations of Mozilla's inclusion policy. Obviously, CT in the client would be a win, but I think that even without such a plan in place, the CT logs provide a valuable tool in ensuring compliance, something that's unfortunately been lacking. The issues Ben lists sound like reasonable concerns but it seems this is putting the cart before the horse. The linchpin of CT is being able to turân on hard-fail when the SCT is missing or doesn't agree with the logs--or whatever the case may be. I promise you that CT hard-fail âwill never happen because it requires CA's to be competent (some of whom genuinely are) or end entity cert holders to be interested (some of whom genuinely are) or both. It's just not the reality when you have a massive and complicated website deployment that people can or will be interested. There are too many moving pieces as it is. â Should Chrome activate hard-fail you will start to hear people say, that site doesn't work on Chrome for some reason, just use Firefox or Safari or IE. As always, we welcome your feedback. However, this doesn't seem to relevant to the question/discussion at hand, nor does your potential future meaningfully affect the factors that weighing CT implementation. As it stands, both Mozilla Firefox and Google Chrome have shown that it is possible to improve the CA ecosystem over time, and with appropriate signals. Similarly, other efforts, such as http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html or new features such as ServiceWorker http://jakearchibald.com/2014/service-worker-first-draft/ , and normative requirements such as http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-9.2 , show that there are still opportunities to help encourage sites to adopt stronger security practices. However, that's all neither here nor there. This isn't and wasn't a post about hard-fail CT, but how CT can help Mozilla better regulate it's policies, and the interest in the community of being able to freely and transparently audit CAs to such conformance. Thus assume, if you will, a perfect world where CT was required and embraced by CAs. Would we want these features? Whether yea or nay, best to answer on ct-policy@. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy