Path: g2news1.google.com!news2.google.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!nntp.mozilla.org!news.mozilla.org.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 03 Feb 2010 09:48:58 -0600
Date: Wed, 03 Feb 2010 07:48:57 -0800
From: "David E. Ross" <nob...@nowhere.invalid>
Organization: I am @ david at rossde dot com.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
Newsgroups: mozilla.dev.security.policy
Subject: Re: New wiki page called CA:Root_Change_Process
References: <1tOdndABIvHh9vrWnZ2dnUVZ_h-dnZ2d@mozilla.org> <t_Kdnduhl-aUNvXWnZ2dnUVZ_vSdnZ2d@mozilla.org>
In-Reply-To: <t_Kdnduhl-aUNvXWnZ2dnUVZ_vSdnZ2d@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-ID: <uLOdndhbXPl2B_TWnZ2dnUVZ_rmdnZ2d@mozilla.org>
Lines: 94
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 66.53.208.24
X-AuthenticatedUsername: NoAuthUser
X-Trace: sv3-nCRPvsxbo9hxKz94D1VNdfPgGKYXflvJaZFCBwN5eM7V29UqdZlVa62/9o6BGbsMrDMS7gvbicOSKU6!Hen51HwDf5Y8oLohDc2apjOuvmdxfIwgo39EQ08YbmpfrE93qZ+rbvACotKguPhIlnML0yxHntww!xy1knsnCVsI=
X-Complaints-To: abuse@mozilla.org
X-DMCA-Complaints-To: ab...@mozilla.org
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40

On 2/2/2010 2:45 PM, David E. Ross wrote:
> On 2/1/2010 4:02 PM, Kathleen Wilson wrote:
>> I have created a new wiki page which outlines the process for changing a 
>> root certificate that is currently included in NSS. This includes the 
>> process for disabling or removing a root certificate from NSS.
>>
>> https://wiki.mozilla.org/CA:Root_Change_Process
>>
>> This page is linked to from https://wiki.mozilla.org/CA:Overview in the 
>> "Work in progress" section. The link is called "Root Change Process".
>>
>> In writing this process, I have taken into account input that was 
>> provided through previous discussions, bug postings, the previous 
>> removal policy notes 
>> (https://wiki.mozilla.org/CA:Root_Removal_Policy_Notes), and my current 
>> work to clean up the legacy roots that are no longer audited/used.
>>
>> I will greatly appreciate your feedback on the new documentation for the 
>> root change process: https://wiki.mozilla.org/CA:Root_Change_Process
>>
>> Kathleen
> 
> Much of this Wiki reads like a policy and not merely a procedure.  After
> an extended public discussion, I think this should be subjected to
> formal approval by the Mozilla organization, moved out of
> wiki.mozilla.org, and made into a Web page at
> http://www.mozilla.org/projects/security/certs.
> 
> Under "Add a Trust Bit", the first two bullets under #4 currently read
> as if an existing bug report is being updated.  However, #4 is clearly
> about a new bug.  In the first bullet, "Change the bug summary ... "
> should instead be "Set the bug summary ... ".  In the second bullet, "In
> the bug description add a reference ... " should instead be "In the bug
> description, include a reference ... ".  (Note the added comma.)  This
> same comment applies to #4 under "Enable EV".
> 
> Under "Disable a Root", #1 does not indicate a need for the affected CA
> to submit the bug report.  Instead, this section implies that anyone can
> submit it.  This is different from "Add a Trust Bit" and "Enable EV",
> both of which state in their lead sentences that the affected CA submits
> the bug report.  If this difference is intentional, there should be no
> implication; an explicit statement is needed.  For example, #1 could
> read: "Any individual may initiate the request."
> 
> Under "Disable a Root", the second subbullet under the first bullet of
> #3 is not worded in parallel with the first subbullet.  It looks
> strange.  Perhaps, it should be "Whether the root certificate should be
> removed from NSS instead of unsetting trust bits."  (In the first
> subbullet, "trust bits" should not be capitalized.)
> 
> Under "Disable a Root", the fourth bullet under #3 is not clear.  Where
> it says " ... a qualified representative of either the CA or Mozilla has
>  ... ", is the qualified representative of Mozilla distinct from the
> Mozilla representative cited at the beginning of the sentence?  I think
> it should be; that is, it should take at least two senior Mozilla staff
> memeber to disable a root if the CA is not in agreement.
> 
> In #4-6 under "Disable a Root" (referring back to my comment immediately
> above), to which representative of Mozilla do these refer?
> 
> In #7 under "Disable a Root", are you able to unset a trust bit in a
> root certificate that is already installed in a Mozilla-based product on
> my PC?  That raises the question under "Add a Trust Bit":  Are you able
> to set a trust bit in a root certificate that is already installed in a
> Mozilla-based product on my PC?  What if I have already changed a trust
> bit in my own configuration to a value different from the way it is in
> the controlled NSS database?
> 
> Under "Disable a Root", the same comments for "Disable a Root" also
> apply.  Regarding the comment about unsetting and setting trust bits for
> "Disable a Root", I question whether you are able to remove a root
> certificate from my own PC's configuration.  What if I have added a root
> certificate that is not in the controlled NSS database?  If you do
> indeed remove a root certificate from my PC and I then add it back into
> my configuration, can you later remove it again?
> 

One additional comment:

Under both "Disable a Root" and "Disable a Root", the process described
in the Wiki will take too long if there is a serious security
vulnerability resulting from the presence of a certificate root in the
NSS database or the setting of a particular trust bit in that
certificate.  Both of these sections require some provision for
"shortcutting" the process in that case, possibly skipping step #5 and
placing step #8 ahead of step #7.

-- 

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997