On Mon, 10 May 2021 17:13:41 -0600
Ben Wilson <
bwi...@mozilla.com> wrote:
> All,
>
> Kathleen and I would like your input on how we should quantify the
> value of adding a new CA.
Hello Ben and Kathleen,
Thank you for the wiki page. Although it's valuable to ask CAs to
explain why they should be included I think it will also be valuable
for Mozilla and other root trust stores to think about what *they* want
to achieve in terms of how many or few trusted CAs and whether there are
particular traits those CAs must or should have or which Mozilla
explicitly should not care about.
For example I expect we all agree that *one* CA is too few but is *ten*
too few, or is that perhaps satisfactory?
A million obviously feels like too many. Just managing the paperwork
would take a far larger team than yourselves even with CCADB. But is a
*thousand* also too many?
-
For traits I'm thinking about things like: Do we want diversity in
terms of where geographically the responsible entity is, so that
Mozilla would prefer a new Russian CA over yet another Californian one?
Do we want diversity in funding models, so Mozilla would prefer to see
a mix of government agencies, non-profits, listed companies etc ? Or
are some models preferred over others?
Do we want to see diversity inside the CA entities themselves. Does it
matter to Mozilla whether executives at a CA are women, minorities,
disabled, etc ? Or is this definitively a matter for the CA not Mozilla?
Do we want to see Certificate Authorities that are excited to dip their
toes into new opportunities? Is a CA preferred if they're sponsoring a
TLS Working Group experiment that injects a novel OID into X.509 certs,
or contrariwise is such adventurousness exactly what we don't want to
see from a reliable CA?
-
Finally, there may already be policy about this, but it seems to me that
the discussions and supporting evidence are different between perhaps
three scenarios:
1. An existing trusted CA wants to replace a root, with an explicit
intent to retire some existing root, either one expected to expire soon
or for other reasons.
I see this scenario as mostly about technical checks. We already trust
these people and this does not multiply Mozilla's problems. I think
Mozilla should express a general intent to issue in these cases
*despite* retaining the legal right to do whatever it wants.
2. An existing trusted CA wants to mint a new root to add to their
stable.
Unlike (1) this does increase the overhead for Mozilla, and it incurs
an ongoing additional trust burden so it seems appropriate to gather
community feedback, if any, about the change and seek a justification
beyond "We want to do this and we're trusted" for why this ought to be
a new trusted root.
3. An entity not previously trusted by Mozilla wants to join the root
programme.
This clearly requires the most scrutiny, the most justification from an
applicant, and the most in-depth discussion before accepting a new
CA. This is the category where I believe the questions I had above for
Mozilla (and other trust stores) matter, to guide us as much as the
answers from the applicant.
Nick.