Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Proposing an addition to the Enforcement Policy
114 views
Skip to first unread message
Kathleen Wilson
Apr 24, 2013, 2:32:51 PM4/24/13
to mozilla-dev-s...@lists.mozilla.org
All,
I propose adding the following line item to Mozilla's CA Certificate
Enforcement Policy.
http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html
�One knowingly or intentionally mis-issued certificate (for example, a
certificate that can be used for MITM or �traffic management� of domain
names or IPs that the certificate holder does not legitimately own or
control) may result in immediate removal of the CA�s certificate(s) from
Mozilla�s products.�
The current policy has:
"2. ... Mozilla will disable or remove a certificate if the CA
demonstrates ongoing or egregious practices that do not maintain the
level of service that was established ..."
But I think it would be worthwhile to add another, more specific line
item as proposed above.
I will appreciate your thoughtful and constructive input on this proposal.
Thanks,
Kathleen
I propose adding the following line item to Mozilla's CA Certificate
Enforcement Policy.
http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html
�One knowingly or intentionally mis-issued certificate (for example, a
certificate that can be used for MITM or �traffic management� of domain
names or IPs that the certificate holder does not legitimately own or
control) may result in immediate removal of the CA�s certificate(s) from
Mozilla�s products.�
The current policy has:
"2. ... Mozilla will disable or remove a certificate if the CA
demonstrates ongoing or egregious practices that do not maintain the
level of service that was established ..."
But I think it would be worthwhile to add another, more specific line
item as proposed above.
I will appreciate your thoughtful and constructive input on this proposal.
Thanks,
Kathleen
Eddy Nigg
Apr 24, 2013, 5:11:38 PM4/24/13
to mozilla-dev-s...@lists.mozilla.org
On 04/24/2013 09:32 PM, From Kathleen Wilson:
inexplicitly through the BR decided under which circumstances a
certificate may be issued.
Assuming that any certificate that would be issued for any MITM purpose
would not have been issued according to those requirements (for example
domain control validation) it itself could be a reason for
non-compliance. The circumstances would probably make the difference
regarding removal or non-acceptance.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
> But I think it would be worthwhile to add another, more specific line
> item as proposed above.
>
I would agree, but also point to the fact that Mozilla explicitly and
> item as proposed above.
>
inexplicitly through the BR decided under which circumstances a
certificate may be issued.
Assuming that any certificate that would be issued for any MITM purpose
would not have been issued according to those requirements (for example
domain control validation) it itself could be a reason for
non-compliance. The circumstances would probably make the difference
regarding removal or non-acceptance.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
David E. Ross
Apr 24, 2013, 8:57:54 PM4/24/13
to mozilla-dev-s...@lists.mozilla.org
> immediate removal of the CA�s certificate(s)
should instead read
> immediate removal of all of the CA�s root certificate(s)
This makes clear that ALL roots of the offending CA will be removed.
--
David E. Ross
<http://www.rossde.com/>
Are taxes too high in the U.S.? Check the bar graph
at <http://www.rossde.com/taxes/trickling.html> to see.
Gervase Markham
Apr 25, 2013, 11:29:02 AM4/25/13
to Kathleen Wilson
On 24/04/13 19:32, Kathleen Wilson wrote:
> “One knowingly or intentionally mis-issued certificate (for example, a
> certificate that can be used for MITM or “traffic management” of domain
> Mozilla’s products.”
The effect required is that the CA is no longer able to issue new
trusted certificates, but we should not specify the technical means we
are using to achieve that effect. For example, it could be that NSS is
enhanced to allow "disable after date X" for roots. If so, we may choose
to use that function (to avoid breaking the web) rather than immediately
removing the roots. We should therefore use language here which is broad
enough to cover both possibilities.
So how about: "may result in immediate partial or full removal of trust
from the CA's certificates in Mozilla products"?
Gerv
> “One knowingly or intentionally mis-issued certificate (for example, a
> certificate that can be used for MITM or “traffic management” of domain
> names or IPs that the certificate holder does not legitimately own or
> control) may result in immediate removal of the CA’s certificate(s) from
> Mozilla’s products.”
The effect required is that the CA is no longer able to issue new
trusted certificates, but we should not specify the technical means we
are using to achieve that effect. For example, it could be that NSS is
enhanced to allow "disable after date X" for roots. If so, we may choose
to use that function (to avoid breaking the web) rather than immediately
removing the roots. We should therefore use language here which is broad
enough to cover both possibilities.
So how about: "may result in immediate partial or full removal of trust
from the CA's certificates in Mozilla products"?
Gerv
secgu...@yandex.com
Apr 26, 2013, 2:51:12 PM4/26/13
to dev-secur...@lists.mozilla.org
Quoting gerv:
> On 24/04/13 19:32, Kathleen Wilson wrote:
>> “One knowingly or intentionally mis-issued certificate (for example, a
> On 24/04/13 19:32, Kathleen Wilson wrote:
>> certificate that can be used for MITM or “traffic management” of domain
>> names or IPs that the certificate holder does not legitimately own or
>> control) may result in immediate removal of the CA’s certificate(s) from
>> Mozilla’s products.”
[...]
>> Mozilla’s products.”
> So how about: "may result in immediate partial or full removal of trust
> from the CA's certificates in Mozilla products"?
>
> Gerv
a few clumsy questions:
Why "may result" and not "results"? Can trust be kept, if the CA
misissues knowingly and/or intentionally?
Is it possible for a CA to check, wheter the certificate holder does own
or control a domain "legitimately"? Think of cases, where domains were
seized or password access to dns records was phished.
Does it become clear, that trust is not only lost, if the *CA* misissues
knowingly and/or intentionally, but *anybody* (with access to the
signing keys/process)?
For example, some LEA can ask a CA to misissue, the CA declines:
" _We_ can't do this (intentionally) because of Mozilla's policy. But
here are our private keys, I leave the room for lunch and I don't want
to know what you are going to do in the next hour."
All the best.
sg
Kathleen Wilson
Apr 26, 2013, 8:33:34 PM4/26/13
to mozilla-dev-s...@lists.mozilla.org
Thanks to those of you who have already provided feedback on this proposal.
I have created the working-area for the next round of updates to
Mozilla's CA Certificate Policy.
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress
https://wiki.mozilla.org/CA:CertPolicyUpdates#Under_Consideration_for_Version_2.2
I added item #3 to the Enforcement policy, with modifications based on
the feedback and to make it consistent with the rest of the page.
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
"3. One knowingly or intentionally mis-issued certificate by the CA (for
removal of all of the CA's certificates from Mozilla's products."
On 4/26/13 11:51 AM, secgu...@yandex.com wrote:
>
> Why "may result" and not "results"? Can trust be kept, if the CA
> misissues knowingly and/or intentionally?
I changed the "may" to "will", but I'm considering changing it back to
"may" because there could be unforeseen circumstances in which we might
not take this course of action. For instance, if the situation was dire
(e.g. being held at gunpoint), then we would probably take that into
account if the CA acted responsibly and notified us as soon as possible
that they had been compromised.
> Is it possible for a CA to check, wheter the certificate holder does own
> or control a domain "legitimately"? Think of cases, where domains were
> seized or password access to dns records was phished.
I'm not sure what the intent of this question is. If the CA follows the
necessary steps to confirm domain ownership/control, then I think they
have done their part. If the dns record was hacked in some way, I don't
think the CA could be held accountable for that.
> Does it become clear, that trust is not only lost, if the *CA* misissues
> knowingly and/or intentionally, but *anybody* (with access to the
> signing keys/process)?
> For example, some LEA can ask a CA to misissue, the CA declines:
> " _We_ can't do this (intentionally) because of Mozilla's policy. But
> here are our private keys, I leave the room for lunch and I don't want
> to know what you are going to do in the next hour."
I added "by the CA", because the intent of this additional item is to
say that there are ramifications for a CA who knowingly or intentionally
mis-issues a certificate. Of course CAs are also responsible for all of
their subCAs.
I am trying to distinguish knowing or intentional mis-issuance from a
mis-issuance due to the unfortunate situation where the CA is hacked but
immediately notices and takes appropriate measures to shut down the
attack and notify Mozilla.
In your example where the CA left the room to let someone else do the
mis-issuance, I would say that the CA is still responsible because they
knew what was happening, and it was in their premises which should be
very secure.
Thanks,
Kathleen
I have created the working-area for the next round of updates to
Mozilla's CA Certificate Policy.
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress
https://wiki.mozilla.org/CA:CertPolicyUpdates#Under_Consideration_for_Version_2.2
I added item #3 to the Enforcement policy, with modifications based on
the feedback and to make it consistent with the rest of the page.
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
"3. One knowingly or intentionally mis-issued certificate by the CA (for
example, a certificate that can be used for MITM or "traffic management"
of domain names or IPs that the certificate holder does not legitimately
own or control) will result in disablement (partially or fully) or
of domain names or IPs that the certificate holder does not legitimately
removal of all of the CA's certificates from Mozilla's products."
On 4/26/13 11:51 AM, secgu...@yandex.com wrote:
>
> Why "may result" and not "results"? Can trust be kept, if the CA
> misissues knowingly and/or intentionally?
"may" because there could be unforeseen circumstances in which we might
not take this course of action. For instance, if the situation was dire
(e.g. being held at gunpoint), then we would probably take that into
account if the CA acted responsibly and notified us as soon as possible
that they had been compromised.
> Is it possible for a CA to check, wheter the certificate holder does own
> or control a domain "legitimately"? Think of cases, where domains were
> seized or password access to dns records was phished.
necessary steps to confirm domain ownership/control, then I think they
have done their part. If the dns record was hacked in some way, I don't
think the CA could be held accountable for that.
> Does it become clear, that trust is not only lost, if the *CA* misissues
> knowingly and/or intentionally, but *anybody* (with access to the
> signing keys/process)?
> For example, some LEA can ask a CA to misissue, the CA declines:
> " _We_ can't do this (intentionally) because of Mozilla's policy. But
> here are our private keys, I leave the room for lunch and I don't want
> to know what you are going to do in the next hour."
say that there are ramifications for a CA who knowingly or intentionally
mis-issues a certificate. Of course CAs are also responsible for all of
their subCAs.
I am trying to distinguish knowing or intentional mis-issuance from a
mis-issuance due to the unfortunate situation where the CA is hacked but
immediately notices and takes appropriate measures to shut down the
attack and notify Mozilla.
In your example where the CA left the room to let someone else do the
mis-issuance, I would say that the CA is still responsible because they
knew what was happening, and it was in their premises which should be
very secure.
Thanks,
Kathleen
David E. Ross
Apr 27, 2013, 1:32:55 AM4/27/13
to mozilla-dev-s...@lists.mozilla.org
On 4/26/13 5:33 PM, Kathleen Wilson wrote [in part]:
authority does NOT act willingly. That is, the CA does not purposely
intend to misbehave.
Section 3.4 of "Trust Service Principles and Criteria for Certification
Authorities (Version 2.0)" requires:
> The CA maintains controls to provide reasonable assurance that:
> physical access to CA facilities and equipment is limited to
> authorized individuals, protected through restricted security
> perimeters, and is operated under multiple person (at least dual
> custody) control ...
Thus, a well-run CA should never find itself in the extreme situation
you described. Issuing a certificate at gunpoint would represent a
situation where a CA failed to adhere to basic criteria for operating.
If the coercion were applied by the government where the CA operates,
however, that should be immediate grounds for deleting all of the CA's
root certificates. I can understand how a very well-run CA might find
itself coerced by its government into violating the basic CA criteria,
but safety for Mozilla users would then require immediate action to
remove that CA's roots.
>
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
>
> On 4/26/13 11:51 AM, secgu...@yandex.com wrote:
>>
>> Why "may result" and not "results"? Can trust be kept, if the CA
>> misissues knowingly and/or intentionally?
>
>
> I changed the "may" to "will", but I'm considering changing it back to
> "may" because there could be unforeseen circumstances in which we might
> not take this course of action. For instance, if the situation was dire
> (e.g. being held at gunpoint), then we would probably take that into
> account if the CA acted responsibly and notified us as soon as possible
> that they had been compromised.
The extreme example you give is a situation in which the certification
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
>
> On 4/26/13 11:51 AM, secgu...@yandex.com wrote:
>>
>> Why "may result" and not "results"? Can trust be kept, if the CA
>> misissues knowingly and/or intentionally?
>
>
> I changed the "may" to "will", but I'm considering changing it back to
> "may" because there could be unforeseen circumstances in which we might
> not take this course of action. For instance, if the situation was dire
> (e.g. being held at gunpoint), then we would probably take that into
> account if the CA acted responsibly and notified us as soon as possible
> that they had been compromised.
authority does NOT act willingly. That is, the CA does not purposely
intend to misbehave.
Section 3.4 of "Trust Service Principles and Criteria for Certification
Authorities (Version 2.0)" requires:
> The CA maintains controls to provide reasonable assurance that:
> physical access to CA facilities and equipment is limited to
> authorized individuals, protected through restricted security
> perimeters, and is operated under multiple person (at least dual
> custody) control ...
Thus, a well-run CA should never find itself in the extreme situation
you described. Issuing a certificate at gunpoint would represent a
situation where a CA failed to adhere to basic criteria for operating.
If the coercion were applied by the government where the CA operates,
however, that should be immediate grounds for deleting all of the CA's
root certificates. I can understand how a very well-run CA might find
itself coerced by its government into violating the basic CA criteria,
but safety for Mozilla users would then require immediate action to
remove that CA's roots.
secgu...@yandex.com
Apr 27, 2013, 12:33:51 PM4/27/13
to dev-secur...@lists.mozilla.org
Quoting kwilson:
> Thanks to those of you who have already provided feedback on this proposal.
[...]
> Thanks to those of you who have already provided feedback on this proposal.
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
>
> removal of all of the CA's certificates from Mozilla's products."
>
>
> On 4/26/13 11:51 AM, secguardian [...] wrote:
>>
>> Why "may result" and not "results"? Can trust be kept, if the CA
>> misissues knowingly and/or intentionally?
>
>
>>
>> Why "may result" and not "results"? Can trust be kept, if the CA
>> misissues knowingly and/or intentionally?
>
>
> I changed the "may" to "will", but I'm considering changing it back to
> "may" because there could be unforeseen circumstances in which we might
> not take this course of action. For instance, if the situation was dire
> (e.g. being held at gunpoint), then we would probably take that into
> account if the CA acted responsibly and notified us as soon as possible
> that they had been compromised.
I prefer "will".
> "may" because there could be unforeseen circumstances in which we might
> not take this course of action. For instance, if the situation was dire
> (e.g. being held at gunpoint), then we would probably take that into
> account if the CA acted responsibly and notified us as soon as possible
> that they had been compromised.
Item #2 of the Enforcement policy starts with "Mozilla _may_ ... remove
..." - meaning Mozilla/community will argue before removing trust.
Item #3 deals with a more severe violation of policy ("knowingly or
intentionally mis-issued certificate"). Therefore trust should be
removed or suspended immediately.
The CA has the chance to prove that it was not responsible (or forced by
gun) and trust can be restored - after community discussion.
Reverse the burden of proof.
>> Is it possible for a CA to check, wheter the certificate holder does own
>> or control a domain "legitimately"? Think of cases, where domains were
>> seized or password access to dns records was phished.
>
>
> I'm not sure what the intent of this question is. If the CA follows the
> necessary steps to confirm domain ownership/control, then I think they
> have done their part. If the dns record was hacked in some way, I don't
> think the CA could be held accountable for that.
Excuse me, I probably misunderstood your example and thought the CA
> necessary steps to confirm domain ownership/control, then I think they
> have done their part. If the dns record was hacked in some way, I don't
> think the CA could be held accountable for that.
should always check before issuing a certificate, if its client owns or
controls the domain _and_ that they do so "legitimately".
Now I see the CA only misissues, if the CA knows that the certificate
holder is "not legitimately" in control.
>> Does it become clear, that trust is not only lost, if the *CA* misissues
>> knowingly and/or intentionally, but *anybody* (with access to the
>> signing keys/process)?
>> For example, some LEA can ask a CA to misissue, the CA declines:
>> " _We_ can't do this (intentionally) because of Mozilla's policy. But
>> here are our private keys, I leave the room for lunch and I don't want
>> to know what you are going to do in the next hour."
>
>
> I added "by the CA", because the intent of this additional item is to
> say that there are ramifications for a CA who knowingly or intentionally
> mis-issues a certificate. Of course CAs are also responsible for all of
> their subCAs.
Instead of "by the CA" I prefered something like "by anyone" (inevitable
> say that there are ramifications for a CA who knowingly or intentionally
> mis-issues a certificate. Of course CAs are also responsible for all of
> their subCAs.
with access to the signing keys). Otherwise it seems that Mozilla has to
find evidence of no third party being involved and the CA can always
"escape" claiming "We were hacked."
If there is a misissued certificate found in the wild, signed with the
CA keys, we should initially assume CA responsibility and act
accordingly. In the second run the CA can try to prove that it wasn't
(knowingly and/or intentionally) "guilty".
> I am trying to distinguish knowing or intentional mis-issuance from a
> mis-issuance due to the unfortunate situation where the CA is hacked but
> immediately notices and takes appropriate measures to shut down the
> attack and notify Mozilla.
"knowing(ly)" ? Can you speak of a "hack" if the hacked one knows
beforehand? Perhaps I am again misunderstanding.
> In your example where the CA left the room to let someone else do the
> mis-issuance, I would say that the CA is still responsible because they
> knew what was happening, and it was in their premises which should be
> very secure.
> Thanks,
> Kathleen
Thank you for taking thougts into consideration.
All the best.
sg
let...@gmail.com
May 6, 2013, 11:16:34 PM5/6/13
to
Is it within scope to think about adding root CA's to a blacklist that have not been previously issues by Mozilla?
I am thinking of point-of-gun type MITM CA certificates that are forced by some governments upon their citizens to enable massive scale "lawful" interception of SSL traffic. As an example, the newly spotted Iranian Root CA of CN=CUBE-CA
Note that (IMHO) this is different from corporate MITM CA's. That's a valid local security policy.
I am thinking of point-of-gun type MITM CA certificates that are forced by some governments upon their citizens to enable massive scale "lawful" interception of SSL traffic. As an example, the newly spotted Iranian Root CA of CN=CUBE-CA
Note that (IMHO) this is different from corporate MITM CA's. That's a valid local security policy.
Kathleen Wilson
Jun 10, 2013, 4:58:07 PM6/10/13
to mozilla-dev-s...@lists.mozilla.org
On 4/26/13 5:33 PM, Kathleen Wilson wrote:
> I added item #3 to the Enforcement policy, with modifications based on
> the feedback and to make it consistent with the rest of the page.
>
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
>
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
>
After internal review of the changes that have been proposed to version
> I added item #3 to the Enforcement policy, with modifications based on
> the feedback and to make it consistent with the rest of the page.
>
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
>
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
>
2.2 of Mozilla's CA Certificate Policy, I need to re-visit the 3rd item
that we are adding to the enforcement policy.
The currently proposed text is:
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
"3. One knowingly or intentionally mis-issued certificate by the CA (for
example, a certificate that can be used for MITM or "traffic management"
of domain names or IPs that the certificate holder does not legitimately
own or control) will result in disablement (partially or fully) or
removal of all of the CA's certificates from Mozilla's products."
"3. Mozilla will take any steps we deem appropriate to protect our users
if we learn that a CA has knowingly or intentionally mis-issued one or
more certificates (for example, issuing a certificate that can be used
for MITM or "traffic management" of domain names or IP addresses that
the certificate holder does not legitimately own or control). This may
include, but is not limited to disablement (partially or fully) or
removal of all of the CA's certificates from Mozilla's products."
I will appreciate your constructive feedback on the newly proposed text.
Thanks,
Kathleen
Rob Stradling
Jun 11, 2013, 5:07:10 AM6/11/13
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
On 10/06/13 21:58, Kathleen Wilson wrote:
<snip>
"...domain names or IP addresses that the certificate holder does not
legitimately own..." implies that it's possible to _illegitimately own_
domain names and IP addresses.
Is it ever possible to own something illegitimately?
Or does illegitimacy imply non-ownership?
Imaginary scenario:
- Somebody registers the domain i-love-widgets.com. "widget" is a
trademark belonging to somebody else, but that isn't something that the
domain registrar considers.
- The new domain holder then applies for an SSL Certificate for
www.i-love-widgets.com. They are able to prove to the CA that they both
own and control this domain.
- The CA knowingly and intentionally issues the certificate.
- The owner of the "widget" trademark then discovers
i-love-widgets.com and decides to take legal action.
- The courts decide that the domain holder must surrender the domain.
At the time the CA knowingly and intentionally issued the certificate,
did the domain holder...
1. own the domain legitimately or illegitimately?
2. control the domain legitimately or illegitimately?
Did the CA mis-issue, or not?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
<snip>
> The replacement text that I would like to propose is:
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates (for example, issuing a certificate that can be used
> for MITM or "traffic management" of domain names or IP addresses that
> the certificate holder does not legitimately own or control). This may
> include, but is not limited to disablement (partially or fully) or
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates (for example, issuing a certificate that can be used
> for MITM or "traffic management" of domain names or IP addresses that
> the certificate holder does not legitimately own or control). This may
> removal of all of the CA's certificates from Mozilla's products."
>
>
> I will appreciate your constructive feedback on the newly proposed text.
Hi Kathleen.
"...domain names or IP addresses that the certificate holder does not
legitimately own..." implies that it's possible to _illegitimately own_
domain names and IP addresses.
Is it ever possible to own something illegitimately?
Or does illegitimacy imply non-ownership?
Imaginary scenario:
- Somebody registers the domain i-love-widgets.com. "widget" is a
trademark belonging to somebody else, but that isn't something that the
domain registrar considers.
- The new domain holder then applies for an SSL Certificate for
www.i-love-widgets.com. They are able to prove to the CA that they both
own and control this domain.
- The CA knowingly and intentionally issues the certificate.
- The owner of the "widget" trademark then discovers
i-love-widgets.com and decides to take legal action.
- The courts decide that the domain holder must surrender the domain.
At the time the CA knowingly and intentionally issued the certificate,
did the domain holder...
1. own the domain legitimately or illegitimately?
2. control the domain legitimately or illegitimately?
Did the CA mis-issue, or not?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
fhw...@gmail.com
Jun 11, 2013, 11:40:29 AM6/11/13
to mozilla-dev-s...@lists.mozilla.org
Or, to put it another way, how is ownership to be determined? I think we need to elaborate that point so that Mozilla and cert issuers alike are working from the same, open, and verifiable standard.
Beyond that, though, I'm not sure I agree with the proposed change. Could you elaborate a bit, Kathleen, on any internal concerns that prompted the change?
Thanks.
| From: Rob Stradling Sent: Tuesday, June 11, 2013 4:08 AM To: Kathleen Wilson Subject: Re: Proposing an addition to the Enforcement Policy |
On 10/06/13 21:58, Kathleen Wilson wrote:
<snip>
> The replacement text that I would like to propose is:
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
<snip>
> The replacement text that I would like to propose is:
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates (for example, issuing a certificate that can be used
> for MITM or "traffic management" of domain names or IP addresses that
> for MITM or "traffic management" of domain names or IP addresses that
> the certificate holder does not legitimately own or control). This may
> include, but is not limited to disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Kathleen Wilson
Jun 11, 2013, 8:35:12 PM6/11/13
to mozilla-dev-s...@lists.mozilla.org
(for example, issuing a certificate that can be used for MITM or
"traffic management" of domain names or IP addresses that the
certificate holder does not *legitimately* own or control)
"traffic management" of domain names or IP addresses that the
Correct? Or are you recommending a more substantial change?
Thanks,
Kathleen
Kathleen Wilson
Jun 11, 2013, 9:07:18 PM6/11/13
to mozilla-dev-s...@lists.mozilla.org
On 6/11/13 8:40 AM, fhw...@gmail.com wrote:
> Or, to put it another way, how is ownership to be determined? I think we
> need to elaborate that point so that Mozilla and cert issuers alike are
> working from the same, open, and verifiable standard.
I intended this addition to make it very clear in the policy that MITM
> Or, to put it another way, how is ownership to be determined? I think we
> need to elaborate that point so that Mozilla and cert issuers alike are
> working from the same, open, and verifiable standard.
certs shall not chain up to publicly trusted roots.
If I'm interpreting your comments correctly, then you are in agreement
with what Eddy said previously about making a point that SSL certs must
be issued according to the CAB Forum's BRs -- "any certificate that
would be issued for any MITM purpose would not have been issued
according to those requirements (for example domain control validation)
it itself could be a reason for non-compliance."
So there should be a more substantial change to the text.
according to those requirements (for example domain control validation)
it itself could be a reason for non-compliance."
How about the following?
"3. Mozilla will take any steps we deem appropriate to protect our users
if we learn that a CA has knowingly or intentionally mis-issued one or
(partially or fully) or removal of all of the CA's certificates from
Mozilla's products. A certificate which includes domain names that have
not been verified according to Baseline Requirement #11.1.1 is
considered to be mis-issued. Additionally, a certificate that is used by
web proxy devices to intercept SSL sessions and issue its own
certificate to match the server’s certificate is also considered to be
mis-issued."
>
> Beyond that, though, I'm not sure I agree with the proposed change.
> Could you elaborate a bit, Kathleen, on any internal concerns that
> prompted the change?
changes to the proposed text, with the following goals in mind:
- Mozilla needs to be able to take whatever action we deem is
appropriate given the situation.
- The wording needs to be strong enough that CAs can point to it if
someone (such as a government) is trying to compel them to mis-issue a
certificate.
Thanks,
Kathleen
Jürgen Brauckmann
Jun 12, 2013, 4:04:33 AM6/12/13
to mozilla-dev-s...@lists.mozilla.org
Kathleen Wilson schrieb:
> How about the following?
> Additionally, a certificate that is used by
> web proxy devices to intercept SSL sessions and issue its own
> certificate to match the server’s certificate is also considered to be
> mis-issued."
Thats not OK, because this sentence refers to behaviour of equipment
that the CA has no control over:
A CA can issue a correct certificate with correct names and correct
extensions (key usages, basic constraints), and a web proxy device could
nevertheless, in violation of all standards, use the certificate to sign
further MITM-certificates. Even if these MITM-certificates will not work
in Firefox and hopefully most other software in use today, the CA would
be "guilty" without having done anything wrong.
How about a statement about correct key usages and basic constraints?
"A certificate which is intended to be an end entity certificate but
includes a keyUsage extension with values keyCertSign and/or cRLSign or
a basicConstraints extension with the cA field set to true is considered
to be mis-issued."
(A reference to the BR would not work, as the BR cover only server
certificates).
Regards,
Jürgen
> How about the following?
>
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates. This may include, but is not limited to disablement
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> (partially or fully) or removal of all of the CA's certificates from
> Mozilla's products. A certificate which includes domain names that have
> not been verified according to Baseline Requirement #11.1.1 is
> considered to be mis-issued.
I think its very appropriate to make a reference to the BR.
> not been verified according to Baseline Requirement #11.1.1 is
> considered to be mis-issued.
> Additionally, a certificate that is used by
> web proxy devices to intercept SSL sessions and issue its own
> certificate to match the server’s certificate is also considered to be
> mis-issued."
that the CA has no control over:
A CA can issue a correct certificate with correct names and correct
extensions (key usages, basic constraints), and a web proxy device could
nevertheless, in violation of all standards, use the certificate to sign
further MITM-certificates. Even if these MITM-certificates will not work
in Firefox and hopefully most other software in use today, the CA would
be "guilty" without having done anything wrong.
How about a statement about correct key usages and basic constraints?
"A certificate which is intended to be an end entity certificate but
includes a keyUsage extension with values keyCertSign and/or cRLSign or
a basicConstraints extension with the cA field set to true is considered
to be mis-issued."
(A reference to the BR would not work, as the BR cover only server
certificates).
Regards,
Jürgen
Rob Stradling
Jun 12, 2013, 5:12:19 AM6/12/13
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
On 12/06/13 01:35, Kathleen Wilson wrote:
<snip>
<snip>
> So I should remove the word "legitimately" from this part:
> (for example, issuing a certificate that can be used for MITM or
> "traffic management" of domain names or IP addresses that the
> "traffic management" of domain names or IP addresses that the
> certificate holder does not *legitimately* own or control)
>
> Correct? Or are you recommending a more substantial change?
Correct.
>
> Correct? Or are you recommending a more substantial change?
Jean-Marc Desperrier
Jun 12, 2013, 6:21:22 AM6/12/13
to mozilla-dev-s...@lists.mozilla.org
Kathleen Wilson a écrit :
is there only to make it as clear as possible for CAs that only one
purposely mis-issued certificate is enough for all hell to break loose.
So the only purpose of the wording is to make that as blatant and
unmistakable as possible even for people who wish not to understand it,
and the second version is not as good to this regard.
May I suggest the following to conciliate the two versions :
"3. Learning of one knowingly or intentionally mis-issued certificate by
deem appropriate to protect our users from the CA's action. This will
exceptional case where you wish more flexibility with regard to
disabling/removing the CA or not is covered by the possibility of a
partial disablement. This gives you the ability to decide for example
that the CA is disabled only for a given period of time.
The will wording does constraint Mozilla to do something. I think this
self-constraint is not a bad thing especially as it helps removing any
hope for the CA to be able to explain away the problem.
I also removed the "or more" since it only weakens the wording. Several
mis-issued certificate unambiguously logically includes the situation of
one mis-issued certificate.
> The currently proposed text is:
> "3. One knowingly or intentionally mis-issued certificate by the CA (for
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
> The replacement text that I would like to propose is:
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates (for example, issuing a certificate that can be used
> for MITM or "traffic management" of domain names or IP addresses that
> the certificate holder does not legitimately own or control). This may
> include, but is not limited to disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
> I will appreciate your constructive feedback on the newly proposed text.
I think the first version is better. In my understanding, this paragraph
> example, a certificate that can be used for MITM or "traffic management"
> of domain names or IPs that the certificate holder does not legitimately
> own or control) will result in disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
> The replacement text that I would like to propose is:
> "3. Mozilla will take any steps we deem appropriate to protect our users
> if we learn that a CA has knowingly or intentionally mis-issued one or
> more certificates (for example, issuing a certificate that can be used
> for MITM or "traffic management" of domain names or IP addresses that
> the certificate holder does not legitimately own or control). This may
> include, but is not limited to disablement (partially or fully) or
> removal of all of the CA's certificates from Mozilla's products."
>
> I will appreciate your constructive feedback on the newly proposed text.
is there only to make it as clear as possible for CAs that only one
purposely mis-issued certificate is enough for all hell to break loose.
So the only purpose of the wording is to make that as blatant and
unmistakable as possible even for people who wish not to understand it,
and the second version is not as good to this regard.
May I suggest the following to conciliate the two versions :
"3. Learning of one knowingly or intentionally mis-issued certificate by
the CA (for example, a certificate that can be used for MITM or "traffic
management" of domain names or IPs that the certificate holder does not
legitimately own or control) will result in Mozilla taking any steps we
management" of domain names or IPs that the certificate holder does not
deem appropriate to protect our users from the CA's action. This will
include, but is not limited to disablement (partially or fully) or
removal of all of the CA's certificates from Mozilla's products."
I've put "will include" again, instead of the "may". I think the
removal of all of the CA's certificates from Mozilla's products."
exceptional case where you wish more flexibility with regard to
disabling/removing the CA or not is covered by the possibility of a
partial disablement. This gives you the ability to decide for example
that the CA is disabled only for a given period of time.
The will wording does constraint Mozilla to do something. I think this
self-constraint is not a bad thing especially as it helps removing any
hope for the CA to be able to explain away the problem.
I also removed the "or more" since it only weakens the wording. Several
mis-issued certificate unambiguously logically includes the situation of
one mis-issued certificate.
secgu...@yandex.com
Jun 12, 2013, 4:57:54 PM6/12/13
to dev-secur...@lists.mozilla.org
Quoting jmdesp:
[...]
> The will wording does constraint Mozilla to do something. I think this
> self-constraint is not a bad thing especially as it helps removing any
> hope for the CA to be able to explain away the problem.
>
I second that. "May" sounds like "weasel" wording.
If Mozilla is convinced that a CA has "knowingly or intentionally
mis-issued" a certificate there should not remain any chances to argue.
Otherwise we might get first and second class CAs: some will be
punished, others get away with it (probably the bigger ones).
The user can only trust in Mozillas ability to provide secure
connections without anyone listening in the middle, if the abuse of
Mozilla granted power by any CA is an one-shot operation and end of
business (with Mozilla).
A "may" without the self-constraint of a "will" translates to the user
as "Perhaps we do something but you can not be sure. We gave them the
power to spy on you, we know they used it and it might happen again
because ..."
Well ... because why? Any reason will (only) damage Mozillas reputation.
I'm scared to ask:
Is there any possibility that Mozilla gets and obeys any order by anyone
to keep the trust bits and/or is not allowed to talk about it?
[...]
All the best.
sg
[...]
> The will wording does constraint Mozilla to do something. I think this
> self-constraint is not a bad thing especially as it helps removing any
> hope for the CA to be able to explain away the problem.
>
If Mozilla is convinced that a CA has "knowingly or intentionally
mis-issued" a certificate there should not remain any chances to argue.
Otherwise we might get first and second class CAs: some will be
punished, others get away with it (probably the bigger ones).
The user can only trust in Mozillas ability to provide secure
connections without anyone listening in the middle, if the abuse of
Mozilla granted power by any CA is an one-shot operation and end of
business (with Mozilla).
A "may" without the self-constraint of a "will" translates to the user
as "Perhaps we do something but you can not be sure. We gave them the
power to spy on you, we know they used it and it might happen again
because ..."
Well ... because why? Any reason will (only) damage Mozillas reputation.
I'm scared to ask:
Is there any possibility that Mozilla gets and obeys any order by anyone
to keep the trust bits and/or is not allowed to talk about it?
[...]
All the best.
sg
Kathleen Wilson
Jun 13, 2013, 1:56:10 PM6/13/13
to mozilla-dev-s...@lists.mozilla.org
Thanks to all of you for your input and suggestions.
I did a quick review with a Mozilla legal representative, and he is OK
with the following:
"3. Learning of one knowingly or intentionally mis-issued certificate by
a CA (for example, a certificate that can be used for MITM or "traffic
appropriate to protect our users from the CA's action. This may include,
CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be
mis-issued."
We understand your points about the "may" sounding like weasel wording.
The above text says that we *will* take action, and we commit to taking
an action. But we cannot commit ourselves to what the exact action is,
because it depends on the situation and there may be edge cases that we
have not yet considered. I believe this is common/standard legalese.
>
> I'm scared to ask:
> Is there any possibility that Mozilla gets and obeys any order by anyone
> to keep the trust bits and/or is not allowed to talk about it?
>
I have not ever seen a mandate to keep the trust bits enabled for a root
cert. I try to run the program in a fair and non-biased manner.
Thanks
Kathleen
I did a quick review with a Mozilla legal representative, and he is OK
with the following:
"3. Learning of one knowingly or intentionally mis-issued certificate by
a CA (for example, a certificate that can be used for MITM or "traffic
management" of domain names or IP addresses that the certificate holder
does not own or control) will result in Mozilla taking any steps we deem
appropriate to protect our users from the CA's action. This may include,
but is not limited to disablement (partially or fully) or removal of all
of the CA's certificates from Mozilla's products. A certificate which
includes domain names that have not been verified according to the
CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be
mis-issued."
We understand your points about the "may" sounding like weasel wording.
The above text says that we *will* take action, and we commit to taking
an action. But we cannot commit ourselves to what the exact action is,
because it depends on the situation and there may be edge cases that we
have not yet considered. I believe this is common/standard legalese.
>
> I'm scared to ask:
> Is there any possibility that Mozilla gets and obeys any order by anyone
> to keep the trust bits and/or is not allowed to talk about it?
>
cert. I try to run the program in a fair and non-biased manner.
Thanks
Kathleen
secgu...@yandex.com
Jun 14, 2013, 9:22:41 PM6/14/13
to dev-secur...@lists.mozilla.org
Quoting kwilson:
> Thanks to all of you for your input and suggestions.
>
> I did a quick review with a Mozilla legal representative, and he is OK
> with the following:
>
> "3. Learning of one knowingly or intentionally mis-issued certificate by
> Thanks to all of you for your input and suggestions.
>
> I did a quick review with a Mozilla legal representative, and he is OK
> with the following:
>
> a CA (for example, a certificate that can be used for MITM or "traffic
> management" of domain names or IP addresses that the certificate holder
> does not own or control) will result in Mozilla taking any steps we deem
> appropriate to protect our users from the CA's action. This may include,
> but is not limited to disablement (partially or fully) or removal of all
> of the CA's certificates from Mozilla's products. A certificate which
> includes domain names that have not been verified according to the
> CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be
> mis-issued."
>
>
> We understand your points about the "may" sounding like weasel wording.
> The above text says that we *will* take action, and we commit to taking
> an action. But we cannot commit ourselves to what the exact action is,
> because it depends on the situation and there may be edge cases that we
> have not yet considered. I believe this is common/standard legalese.
>
The desire to be flexible is understandably and this version is harsher
> includes domain names that have not been verified according to the
> CA/Browser Forum's Baseline Requirement #11.1.1 is considered to be
> mis-issued."
>
>
> We understand your points about the "may" sounding like weasel wording.
> The above text says that we *will* take action, and we commit to taking
> an action. But we cannot commit ourselves to what the exact action is,
> because it depends on the situation and there may be edge cases that we
> have not yet considered. I believe this is common/standard legalese.
>
than the former. As i read it, Mozilla shows its weapons (to the CAs)
and the intention to use them, but the text also covers the (extreme)
case of doing nothing at all.
By promoting the "will" wording i appeal to the courage of Mozilla to
some kind of self-constraint the user can rely on. If this minimum of
action can not be the removal of trust bits, there shall be some less
severe but verifiable steps which are taken under all circumstances.
At least, for example, a commitment to publicly disclose the mis-issued
certificate, its root cert and all known facts on a dedicated Mozilla
website.
>>
>> I'm scared to ask:
>> Is there any possibility that Mozilla gets and obeys any order by anyone
>> to keep the trust bits and/or is not allowed to talk about it?
>>
>
> I have not ever seen a mandate to keep the trust bits enabled for a root
> cert. I try to run the program in a fair and non-biased manner.
>
I never intended to criticize your open and motivating work. I apologize
> cert. I try to run the program in a fair and non-biased manner.
>
for any misleading wording.
In times where it is supposed to be lawful for some 3-letter-agencies to
spy on foreigners with the help of secret courts and private
corporations, whose cooperating employees are not allowed to speak
freely to the public, fear and mistrust are spreading.
It is a pity and a shame, but as countermeasure always the worst case
has to be considered first.
> Thanks
> Kathleen
All the best.
sg
Jan Schejbal
Jun 15, 2013, 7:08:22 PM6/15/13
to mozilla-dev-s...@lists.mozilla.org
Am 2013-06-11 11:07, schrieb Rob Stradling:
> Did the CA mis-issue, or not?
This is not the question, the question is whether it mis-issued
> Did the CA mis-issue, or not?
knowingly and/or intentionally. IMO, "mis-issued knowingly" means that
the CA *issued* knowingly, *and* that it knew about the fact that it was
misissuing, which it didn't in your example.
If there was a court order that the domain needs to be handed over,
*and* the CA knew of it, and they still issued a cert for the
still-current (illegitimate) "owner", *that* would be a case of policy
violation.
Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
Jan Schejbal
Jun 15, 2013, 7:23:31 PM6/15/13
to mozilla-dev-s...@lists.mozilla.org
Am 2013-06-13 19:56, schrieb Kathleen Wilson:
>
> We understand your points about the "may" sounding like weasel wording.
> The above text says that we *will* take action, and we commit to taking
> an action. But we cannot commit ourselves to what the exact action is,
> because it depends on the situation and there may be edge cases that we
> have not yet considered. I believe this is common/standard legalese.
I expect that with the "may" wording, if a large CA is caught doing it,
>
> We understand your points about the "may" sounding like weasel wording.
> The above text says that we *will* take action, and we commit to taking
> an action. But we cannot commit ourselves to what the exact action is,
> because it depends on the situation and there may be edge cases that we
> have not yet considered. I believe this is common/standard legalese.
there is a large chance it will be deemed "too big to fail" and not
removed, instead of doing the right thing. This is why I would like to
see Mozilla commit to do the right thing and use "will" instead of "may".
I think it would also be great to add a sentence about government
snooping to clarify that "knowingly or intentionally" means "knowingly
or intentionally" and not "knowingly and willingly", e.g.:
"This includes certificates issued for the purpose of government
surveillance, even if issued due to a court order."
Reasoning: The interests of a CA are totally irrelevant here. While it
sucks for a CA to be removed due to something it cannot influence, the
purpose of the Root program and PKI is not to provide a market for CAs,
but to provide security for users.
Rob Stradling
Jun 17, 2013, 8:03:13 AM6/17/13
to jan.sche...@gmx.de, mozilla-dev-s...@lists.mozilla.org
On 16/06/13 00:08, Jan Schejbal wrote:
> Am 2013-06-11 11:07, schrieb Rob Stradling:
> Am 2013-06-11 11:07, schrieb Rob Stradling:
>> Did the CA mis-issue, or not?
>
>
> This is not the question, the question is whether it mis-issued
> knowingly and/or intentionally. IMO, "mis-issued knowingly" means that
> the CA *issued* knowingly, *and* that it knew about the fact that it was
> misissuing, which it didn't in your example.
>
> If there was a court order that the domain needs to be handed over,
> *and* the CA knew of it, and they still issued a cert for the
> still-current (illegitimate) "owner", *that* would be a case of policy
> violation.
Good points. Thanks Jan.
> knowingly and/or intentionally. IMO, "mis-issued knowingly" means that
> the CA *issued* knowingly, *and* that it knew about the fact that it was
> misissuing, which it didn't in your example.
>
> If there was a court order that the domain needs to be handed over,
> *and* the CA knew of it, and they still issued a cert for the
> still-current (illegitimate) "owner", *that* would be a case of policy
> violation.
Kathleen Wilson
Jun 17, 2013, 2:36:36 PM6/17/13
to mozilla-dev-s...@lists.mozilla.org
On 6/15/13 4:23 PM, Jan Schejbal wrote:
> Am 2013-06-13 19:56, schrieb Kathleen Wilson:
>>
>> We understand your points about the "may" sounding like weasel wording.
>> The above text says that we *will* take action, and we commit to taking
>> an action. But we cannot commit ourselves to what the exact action is,
>> because it depends on the situation and there may be edge cases that we
>> have not yet considered. I believe this is common/standard legalese.
>
> I expect that with the "may" wording, if a large CA is caught doing it,
> there is a large chance it will be deemed "too big to fail" and not
> removed, instead of doing the right thing. This is why I would like to
> see Mozilla commit to do the right thing and use "will" instead of "may".
>
I updated the WorkInProgress page so we can review it in context with
> Am 2013-06-13 19:56, schrieb Kathleen Wilson:
>>
>> We understand your points about the "may" sounding like weasel wording.
>> The above text says that we *will* take action, and we commit to taking
>> an action. But we cannot commit ourselves to what the exact action is,
>> because it depends on the situation and there may be edge cases that we
>> have not yet considered. I believe this is common/standard legalese.
>
> I expect that with the "may" wording, if a large CA is caught doing it,
> there is a large chance it will be deemed "too big to fail" and not
> removed, instead of doing the right thing. This is why I would like to
> see Mozilla commit to do the right thing and use "will" instead of "may".
>
the other text in the page:
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/EnforcementPolicy.html
I understand the concerns about "too big to fail". But please note item
2 in the page: "Mozilla will disable or remove a certificate if the CA
demonstrates ongoing or egregious practices..."
The new item #3 is specifically meant to call out MITM/surveillance
usage of certs chaining to publicly trusted roots. I think the current
text accomplishes my goal, even though I cannot include the second "will".
>
> I think it would also be great to add a sentence about government
> snooping to clarify that "knowingly or intentionally" means "knowingly
> or intentionally" and not "knowingly and willingly", e.g.:
>
> "This includes certificates issued for the purpose of government
> surveillance, even if issued due to a court order."
>
> Reasoning: The interests of a CA are totally irrelevant here. While it
> sucks for a CA to be removed due to something it cannot influence, the
> purpose of the Root program and PKI is not to provide a market for CAs,
> but to provide security for users.
>
government/court orders, as well as other scenarios.
Thanks,
Kathleen
0 new messages