evaluation of aggregate behaviour for CAs
335 views
Skip to first unread message
Mike Shaver
May 2, 2024, 5:09:55 PMMay 2
to dev-secur...@mozilla.org
Hello,
I have been re-reading the Mozilla root policy, which necessarily leaves substantial discretion to Mozilla as to when revocation of a root (or otherwise constraining it, if such capabilities existed) is appropriate.
From also reviewing a number of historical incidents in Bugzilla, it seems that currently the decision as to whether to sanction a CA is largely evaluated on a per-incident basis: is this specific incident sufficient grounds to disrupt subscribers and relying parties by forcibly revoking some or all of the CA's issued certificates?
Unfortunately, this in my opinion undermines the integrity of the root programs, because it means that the pattern of behaviour of a CA over time doesn't really have a place in the conversations. There is no summary discussion of a CA, even given a pattern of similar incidents, which might lead Mozilla and the WebPKI community to decide that said CA was a liability to the integrity—both technical and political—of the root program.
I'm posting here not to conduct such a summary discussion of any specific CA (yet), but to start a conversation about what the WebPKI community represented here might think appropriate as a structure for such historical evaluations, and also what tests we might apply to determine if a CA should have its inclusion formally reconsidered in some way.
I have my own thoughts on the topic, perhaps obviously, but I would like to first leave some space for others to present their opinions.
Mike
Watson Ladd
May 2, 2024, 5:54:28 PMMay 2
to Mike Shaver, dev-secur...@mozilla.org
recent memory I can recall Camerfirma
(https://wiki.mozilla.org/CA/Camerfirma_Issues and
mozilla.dev.security.policy) and I recall a few more that searching
hasn't turned up yet.
Sincerely,
Watson Ladd
>
> Mike
>
> --
> You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquoSciv1F-xyqrhZoTobpV2x%2Bcn%3D8jbBtbzsZrdtsJLZg%40mail.gmail.com.
--
Astra mortemque praestare gradatim
Mike Shaver
May 2, 2024, 6:00:58 PMMay 2
to Watson Ladd, dev-secur...@mozilla.org
On Thu, 2 May 2024 at 17:54, Watson Ladd <watso...@gmail.com> wrote:
Bugzilla is not the place to look for this kind of conversation. In
recent memory I can recall Camerfirma
(https://wiki.mozilla.org/CA/Camerfirma_Issues and
mozilla.dev.security.policy) and I recall a few more that searching
hasn't turned up yet.
Oh indeed Bugzilla isn't the place for it, but it's the only place that seems to have discussion of CA behaviour that doesn't rise to the near-criminal.
That wiki page about Camerfirma seems like it is just a list of Bugzilla issues, and doesn't have any associated aggregate analysis. Did that discussion and subsequent decision about action happen only in the mailing list?
Mike
Andrew Ayer
May 2, 2024, 6:25:42 PMMay 2
to Mike Shaver, dev-secur...@mozilla.org
Hi Mike,
On Thu, 2 May 2024 17:09:42 -0400
Mike Shaver <mike....@gmail.com> wrote:
> From also reviewing a number of historical incidents in Bugzilla, it
> seems that currently the decision as to whether to sanction a CA is
> largely evaluated on a per-incident basis: is this specific incident
> sufficient grounds to disrupt subscribers and relying parties by
> forcibly revoking some or all of the CA's issued certificates?
This has not been the case for at least 7 years:
Symantec: https://groups.google.com/g/mozilla.dev.security.policy/c/kxs3kyqRqYU/m/QDPpj9pOEAAJ
WoSign/Startcom: https://groups.google.com/g/mozilla.dev.security.policy/c/k9PBmyLCi8I/m/mKSMaz9eCgAJ
PROCERT: https://groups.google.com/g/mozilla.dev.security.policy/c/lqZersN26VA/m/NVLf6YPWAAAJ
Certinomis: https://groups.google.com/g/mozilla.dev.security.policy/c/rmU311hOIIc/m/36RWof79CgAJ
Camerfirma: https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/diOfeWNpBQAJ
These CAs were all distrusted based not on a single incident but rather
their aggregate behavior.
Regards,
Andrew
On Thu, 2 May 2024 17:09:42 -0400
Mike Shaver <mike....@gmail.com> wrote:
> From also reviewing a number of historical incidents in Bugzilla, it
> seems that currently the decision as to whether to sanction a CA is
> largely evaluated on a per-incident basis: is this specific incident
> sufficient grounds to disrupt subscribers and relying parties by
> forcibly revoking some or all of the CA's issued certificates?
Symantec: https://groups.google.com/g/mozilla.dev.security.policy/c/kxs3kyqRqYU/m/QDPpj9pOEAAJ
WoSign/Startcom: https://groups.google.com/g/mozilla.dev.security.policy/c/k9PBmyLCi8I/m/mKSMaz9eCgAJ
PROCERT: https://groups.google.com/g/mozilla.dev.security.policy/c/lqZersN26VA/m/NVLf6YPWAAAJ
Certinomis: https://groups.google.com/g/mozilla.dev.security.policy/c/rmU311hOIIc/m/36RWof79CgAJ
Camerfirma: https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/diOfeWNpBQAJ
These CAs were all distrusted based not on a single incident but rather
their aggregate behavior.
Regards,
Andrew
Mike Shaver
May 2, 2024, 6:27:51 PMMay 2
to Andrew Ayer, dev-secur...@mozilla.org
Oh, I feel dumb for not searching the old Google group, considering that I used to subscribe to it.
Thanks for that, I'll review those cases and see how they were brought forward.
Mike
Reply all
Reply to author
Forward
0 new messages