--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b0e3c58a-26b1-430c-9aeb-7763bdda6345n%40mozilla.org.
> The CA operator is in a global region that cannot use the CCADB, or is not capable of entering into a contractual agreement with a US-based company.
Is this means US government can control whether any CA is in Mozilla root store?
Thank you all for your feedback so far. I am sure it will take a couple iterations to get this all correct and usable, so I will continue to appreciate your feedback on this draft page.
I have incorporated your feedback as follows.
- Changed network surveillance bullet point to:
network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization
- Changed the cyber espionage bullet point to:
cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage.
- Changed the “The CA operator has done any of the following:” bullet and sub-bullet points to:
The CA operator appears to have:
– Deliberately violated Mozilla's Root Store Policy or other applicable policy; or
– Lied, concealed, or failed to disclose the full extent of a problem.
- Changed “Has gaps between audit periods.” to:
Has non-contiguous audit periods
- Added Warning Signs:
– Fails to provide prompt and detailed responses to Mozilla inquiries about their CA operations, root inclusion requests, policy documents, audit statements, and incidents.
- Demonstrates unacceptable behavior in Mozilla's dev-security-policy discussion forum, as per Mozilla’s Community Participation Guidelines.
- Fails to follow the CCADB Public Code of Conduct when posting in the CCADB Public discussion forum.
Thanks!
Kathleen
Dear Kathleen,
I think your suggestions absolutely go in the right direction.
I would only comment on the “network monitoring” as my understanding is that things like collecting information in the sense of Threat Intelligence / OSINT should be allowed (we want to know what’s being said about us on the web – dark and light alike) and things like intercepting / manipulating traffic should be not allowed (unless it goes into the “lawfull interception” category, which would be a bit strange for a CA to be involved in… but alas. 😉). I’m not English native speaking so I don’t dare to suggest concrete wording but hope this helps to clarify the thought behind this requirement a bit.
Thanks
Roman
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-5ot2bc1L_mtigtLnN4h2Xt2p6EV6Hey_qABgAhd8t%3DA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org.
Which CAs are even publicly traded at this point – Google, Amazon, Entrust? Plus, do government CAs qualify as having independently and publicly available audited financial statements? What about services like Let’s Encrypt? They publish a report on their finances but I think that report is written by Let’s Encrypt, not independent auditors? I’d venture most of the CAs in the root program don’t meet both the independent and publicly available statements.
I don’t like this requirement because it means only small subsidiaries of very large organizations can be a CA.
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Matthew Hardeman
Sent: Thursday, February 9, 2023 11:11 AM
To: Kathleen Wilson <kwi...@mozilla.com>
Cc: dev-secur...@mozilla.org
Subject: Re: DRAFT: Root Inclusion Considerations
As a rule, you tend to have to be a pretty significant business operation to have accounts / financial statements that are "independently audited or examined."
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59EgVZ5rNUJgei2x14yUfany4kNCpDUu1m61tJWMKgGLtg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB26007E1B8E86C2DB615C54388ED99%40BYAPR14MB2600.namprd14.prod.outlook.com.
Which CAs are even publicly traded at this point – Google, Amazon, Entrust? Plus, do government CAs qualify as having independently and publicly available audited financial statements? What about services like Let’s Encrypt? They publish a report on their finances but I think that report is written by Let’s Encrypt, not independent auditors? I’d venture most of the CAs in the root program don’t meet both the independent and publicly available statements.
I don’t like this requirement because it means only small subsidiaries of very large organizations can be a CA.
As a rule, you tend to have to be a pretty significant business operation to have accounts / financial statements that are "independently audited or examined."
Even many small businesses have their financials and tax accounting reviewed and prepared by accounting professionals. But that's different from a formal assertion of "independently audited or examined."
In the US, publicly traded corporations would be. But many private entities would not. It can add a significant time investment and significant expenditure to go that extra step and get an assertion from the accountant that the financials represented in the report do materially reflect the state of the business.
From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> On Behalf Of Matthew Hardeman
Sent: Thursday, February 9, 2023 11:11 AM
To: Kathleen Wilson <kwi...@mozilla.com>
Cc: dev-security-policy@mozilla.org
Subject: Re: DRAFT: Root Inclusion Considerations
On Thu, Feb 9, 2023 at 11:54 AM Kathleen Wilson <kwi...@mozilla.com> wrote:
Would it be reasonable to add the following as a Concerning Behavior?
- The CA does not publish annual accounts or financial statements that have been independently audited or examined.
This has been suggested to me via email, but I am not versed in this area.
Thanks,
Kathleen
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
I appreciate your patience and continued feedback as we work together to get this all correct and usable.
https://wiki.mozilla.org/CA/Root_Inclusion_Considerations
I have incorporated recent feedback as follows.
- Changed “network surveillance…” to:
network surveillance that intercepts/manipulates traffic or collects private information about a person or organization and sends it to another entity without the permission of the person or organization, or in a way that endangers the privacy or device security of the person or organization
Unfortunately it won't let me post. I don't see why it would be harmful to ask the community to double-check my work to make sure that I'm not misunderstanding the new requirements?As far as I can tell, there's a number of CAs currently rooted that are already engaging in Concerning Behavior, but maybe I'm misunderstanding something or Mozilla doesn't like that question?------- Original Message -------
On Tuesday, February 7th, 2023 at 9:52 PM, Steve Keller <kelle...@proton.me> wrote:
My apologies, for some reason its not posting my response. I will try again.Thanks,Steve------- Original Message -------
On Tuesday, February 7th, 2023 at 9:06 PM, Kurt Seifried <ku...@seifried.org> wrote:
You need to reply to the list.-KurtOn Feb 7, 2023, at 1:35 PM, Steve Keller <kelle...@proton.me> wrote:What happens to the CAs engaging in "Concerning Behavior" that currently have their root certificates in Mozilla's root store?Mozilla states:> If the CA operator currently has root certificates in Mozilla's root store, then Mozilla may remove those root certificates or set them to be distrusted after a specified date.How much Concerning Behavior would a CA need to engage in before their root certificates were removed?Just a quick review of all the currently included CAs in Mozilla's root store and it seems that these CAs are already engaging in Concerning Behavior according to the recently announced considerations:1. Agence Nationale de Certification Electronique - Corruption Perceptions Index Score less than 50 (score = 40)2. certSIGN - Corruption Perceptions Index Score less than 50 (score = 46)3. China Financial Certification Authority (CFCA) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45)4. E-Tugra - Internet Freedom Score less than 50 (score = 32), Corruption Perceptions Index Score less than 50 (score = 36)5. eMudhra Technologies Limited - Corruption Perceptions Index Score less than 50 (score = 40)6. Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45)7. Government of Hong Kong (SAR), Hongkong Post, Certizen aka "Hongkong Post" - Internet Freedom Score less than 50, Corruption Perceptions Index Score less than 508. Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) aka "TUBITAK" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store9. iTrusChina Co., Ltd. - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45)10. Microsec Ltd. - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store11. Netlock - Corruption Perceptions Index Score less than 50 (score = 42), CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store12. Shanghai Electronic Certification Authority Co., Ltd. aka "UniTrust" - Internet Freedom Score less than 50 (score = 10), Corruption Perceptions Index Score less than 50 (score = 45)13. Actalis - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store14. Atos Trustcenter - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store15. Buypass - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store16. Chunghwa Telecom - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store17. Disig, a.s. - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store18. e-commerce monitoring GmbH - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store19. HARICA - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store20. SwissSign AG - CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store------- Original Message -------
--
Dear all,
Regarding „CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store”, I’d like to point out that we need to make sure that we have a common understanding what “CA’S auditor” means. Is it a person, a company? Is that entity just currently not auditing other public trusted CAs but did so in the past (how long ago) or did the auditors maybe work for a different audit company that -did- audits on other public trusted CAs… ?
The current wording would also exclude new auditors from ever doing their first audit of a public trusted CA… 😉
I think what we all want and expect is that the auditors are experienced, know the regulations they have to audit against and have some understanding of what “good practice” as CA must show.
Kind regards
Roman
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
On Behalf Of Kathleen Wilson
Sent: Montag, 13. Februar 2023 19:59
To: dev-secur...@mozilla.org
Cc: ku...@seifried.org <ku...@seifried.org>; Steve Keller <kelle...@proton.me>
Subject: Re: DRAFT: Root Inclusion Considerations
On Friday, February 10, 2023 at 12:29:54 PM UTC-8 ku...@seifried.org wrote:
FYI at least one person is being blocked from posting to the list properly for reasons unknown.
On Fri, Feb 10, 2023 at 11:04 AM Steve Keller <kelle...@proton.me> wrote:
Unfortunately it won't let me post. I don't see why it would be harmful to ask the community to double-check my work to make sure that I'm not misunderstanding the new requirements?
As far as I can tell, there's a number of CAs currently rooted that are already engaging in Concerning Behavior, but maybe I'm misunderstanding something or Mozilla doesn't like that question?
Steve will need to:
"Subscribe by sending email to: dev-security-p...@mozilla.org. Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected."
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b9407f23-c174-4d75-8d4d-1e439408164dn%40mozilla.org.
Kathleen/Ben,
I have been thinking about the new Concerning Behavior language being proposed for the Mozilla Root Store Policy and I wanted to share my thoughts relative to this policy and censorship.
When discussing CA inclusions, a topic that commonly comes up is the risk of the applicant violating the privacy of Mozilla's users by enabling MiTMs. However, there are other concerning behaviors that are not often discussed, such as the use of certificate issuance and denial as tools for censorship, community exclusion, and enabling misinformation.
These behaviors can have far-reaching impacts on Mozilla's customers and are not aligned with the objectives of Mozilla as I understand them.
In 2015, Let's Encrypt wrote a blog post on why CAs make poor content watchdogs. I believe the points raised in this post are still relevant today, and it may make sense to add some language to the Concerning Behavior section of the Root Store Policy to make Mozilla's position on these topics clear.
For example, we could consider adding the following bullets to the warning signs section:
While this is probably not the exact right wording something similar to this has the potential to make it clear what Mozilla's position on these topics is and as a result, strongly discourage CAs from leveraging their position to support these activities.
Best regards,
Ryan Hurst
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org.
Kathleen/Ben,
Kathleen/Ben,
I have been thinking about the new Concerning Behavior language being proposed for the Mozilla Root Store Policy and I wanted to share my thoughts relative to this policy and censorship.
When discussing CA inclusions, a topic that commonly comes up is the risk of the applicant violating the privacy of Mozilla's users by enabling MiTMs. However, there are other concerning behaviors that are not often discussed, such as the use of certificate issuance and denial as tools for censorship, community exclusion, and enabling misinformation.
These behaviors can have far-reaching impacts on Mozilla's customers and are not aligned with the objectives of Mozilla as I understand them.
In 2015, Let's Encrypt wrote a blog post on why CAs make poor content watchdogs. I believe the points raised in this post are still relevant today, and it may make sense to add some language to the Concerning Behavior section of the Root Store Policy to make Mozilla's position on these topics clear.
For example, we could consider adding the following bullets to the warning signs section:
- CA operators who attempt to act as a content watchdog beyond what is required by other root programs or governing legal jurisdictions should be seen as a warning sign of behavior that could lead to censorship and be incompatible with Mozilas objectives for the root program and its principles overall.
- CA operators who attempt to act as content watchdogs by denying the issuance of Internationalized Domain Names (IDNs) for reasons beyond legal jurisdictional requirements, what is required by other root programs, or the technical limitations of their certificate issuance systems should be seen as a warning sign of behavior that could lead to censorship which would be incompatible with Mozilas objectives for the root program and its principles overall as it limits access to the internet for non-English speaking users and may be used as a tool for political or cultural control.
While this is probably not the exact right wording something similar to this has the potential to make it clear what Mozilla's position on these topics is and as a result, strongly discourage CAs from leveraging their position to support these activities.
Best regards,
Ryan Hurst
--On Wed, Mar 1, 2023 at 4:46 PM Kathleen Wilson <kwi...@mozilla.com> wrote:I continue to receive feedback/concerns about the auditor bullet point in the "Concerning Behavior" section, so I am attempting to resolve those concerns with the following version of that bullet point:
- The CA is using an auditing organization (ETSI, WebTrust) that has not audited other publicly trusted CAs whose root certificates are included in browser root store programs, and the Auditor Qualifications indicate that the audit team is inexperienced in auditing CA operations, public key infrastructure, trust services or similar information systems.
- New auditors are allowed under the condition that the CA ensures that the Audit Team is lead by third-party specialists or affiliate audit firms who are experienced in auditing publicly trusted CAs, and this information must be provided as part of the Auditor Qualifications.
I will appreciate feedback and suggestions on this new text. Does it address your concerns?Also, I am no longer receiving feedback on the rest of the wiki page, https://wiki.mozilla.org/CA/Root_Inclusion_Considerations, so I am assuming that the rest of the page is solid (i.e. ready to remove the "DRAFT" at the top of the page).Thanks,Kathleen--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org.
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwY_j1foAGnqW0atHEx%3DMLLZdPXgx-K5aWXyMFvAMnW-2w%40mail.gmail.com.
I think this approach is dangerous too though. Is it censorship if a CA won’t issue to Russian entities? What about to other government entities? If Mozilla goes down this route, the policy should include some standard where a ca can exclude entities where there is there is a risk of potentially facilitating of legally questionable activity.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB26000622195C610DB2107B7F8EB29%40BYAPR14MB2600.namprd14.prod.outlook.com.
1) CA's have to abide by legal restrictions in their jurisdiction (e.g. US sanctions) and often in other jurisdictions (e.g. US sanctions, if you use US banks.. yeah)
[JR] Yeah – but what if its not exactly 100% sanctioned? For example, assume the US decides to sanction a country and France doesn’t. If the CA in France decides not to issue because the entity is on the sanctions list, then what? Did they censure it? Or what if the CA is tired of a country being put on and taken off the US list every month and just stops allowing issuance to that domain. Its okay to issue there some months, but not others.
2) Please define censorship, if you mean "not willing to issue a certificate" then there are many gay areas, e.g. let's pick on Russia. What if the CA says "look, we get a ton of spam/abuse/bad behavior from Russia, so we're simply declining to take those risks, it's not worth it"? Are we now going to force people to deal with everyone and not allow them to be somewhat selective in their clientele?
[JR] This is the crux of the issue. Appropriate vs. inappropriate censorship or what is a good definition of censorship? Is not wanting to issue to Dark Matter censorship after Mozilla booted them? What about sites that are espousing hate crimes? Although there’s nothing that says a CA needs to verify the contents of a site, there’s also nothing saying the CA can’t vet the content of a website. One of my big worries with the original DMCA was being a contributory infringer for copyright violation. If I refuse issuance to Warez sites, is that censorship? A definition would be good.
3) "the policy should include some standard where a ca can exclude entities where there is there is a risk of potentially facilitating of legally questionable activity."
Please define "legally questionable", please define which jurisdictions come into play (the CA? the client? the US where Mozilla resides? anything else?) and so on. This is hugely problematic language.
[JR] That wasn’t proposed language. That was pointing out a flaw in saying “No censorship is allowed”.
Sort of devil's advocate: Why is it a problem if a CA refuses to provide certificates to someone/some entity, assuming it's legal (e.g. a US CA refusing certificates to protected classes of people would likely not be legal, but refusing to service an entire state would likely be legal)?
[JR] I think there’s years of court cases that try to answer this question, and answer it better than I could. But I think Mozilla has an interest in making sure CAs are providing services to the community as a whole (for example, not issuing only to themselves) while allowing CAs to manage their own risk profile.
From: 'Kurt Seifried' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Wednesday, March 1, 2023 9:21 PM
To: Jeremy Rowley <jeremy...@digicert.com>
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa382qwgB%3DC0jMjDWNVWu_2NQRBEVDcsMw88%2B3%3D5zf2Jp7Q%40mail.gmail.com.
I like the reporting mechanism. And Bugzilla is even better because it’s public. If someone complains, the CA can respond there. I know I wouldn’t have a problem saying on Bugzilla that we didn’t issue X cert because they are in X country or were found involved in Y criminal activity.
As for the scope of the problem, no idea. I know the scenarios I gave are real, but I’m unaware of any CA that refuses to issue certs to communities Mozilla might want to protect.
I think that is the wrong question. If we go to first principles, Mozilla Root Policy exists to support Mozilla's mission:
Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe, and independent.
With that context, I believe the question becomes how giving WebPKI CAs room to be content watchdogs supports that vision, and does doing so conflict with that mission? I would argue that it does not support the mission and accommodating it conflicts with that vision.
More concretely, I would argue that the fact the objective of ensuring the internet is a "global public resource" that is "open and accessible to all" directly speaks to the organization's position on this class of problem. Furthermore, the mission's focus on empowering individuals to "shape their own experiences" suggests that the user or their agent should protect them from maliciousness, not some third party they have never heard of.
As a technologist, if I put aside the mission of the organization and ask myself at which layer of the stack should be used to protect users from malicious content, the first question I would ask is at what layer in the stack can we see the content that the user is going to interact with.
The answer to that question would exclude doing so at the naming layer, which is what both DNS and the WebPKI represent, as they don't see the same content the user does, and content changes far more often than certificates expire.
Furthermore, since a browser's technological objective is to provide a uniform experience for its users, I would posit the objective of the root program is to deliver a uniform experience for those that rely on HTTPS within the browser since it is HTTPS that demands the existence of the root program. This precludes accommodating subjectivity; after all, there are nearly 100 members of the root program, and many of these organizations operate in countries with different concepts of appropriateness.
To me, this means that for Mozilla to allow for censoring for reasons outside some narrowly defined scope that is well defined, such as legal obligations and conflicts with other root program requirements it must provide a definition for what is acceptable if it wants them to do this. Otherwise, from the perspective of the web, Mozilla's behavior is non-deterministic.
I say this because CAs in the WebPKI serve at the behest of browsers (which are the user’s agents) as they facilitate the browsers to provide authenticated and encrypted sessions for them. In the case of Mozilla, they achieve this goal by using their software and associated community to advance its broader mission, which includes this scope, which is why the root program exists.
Ryan Hurst
Jeremy,
[JR] Yeah – but what if it's not exactly 100% sanctioned? For example, assume the US decides to sanction a country and France doesn’t. If the CA in France decides not to issue because the entity is on the sanctions list, then what? Did they censure it? Or what if the CA is tired of a country being put on and taken off the US list every month and just stops allowing issuance to that domain? It's okay to issue there some months, but not others.
To the best of my honoring sanctions is something that is legally required of a CA and as such in your initial example, I would imagine they would meet those legal obligations and not issue that certificate.
The Oxford Dictionary defines censorship as:
the suppression or prohibition of any parts of books, films, news, etc. that are considered obscene, politically unacceptable, or a threat to security.
I would say that based on that definition this scenario does qualify as censorship but it would be allowed given the language I proposed because accommodates legal obligations.
The issue arises when the CAs get to apply subjectivity to this practice. As I stated in my earlier response if there are approaching 100 organizations with their own policies on what content they are OK with being on the internet how does that support Mozillas objective?
There is also the larger question of sustainability of accommodating such subjectivity also. I am proud to have known you now for around 20 years. I trust you and I believe as long as you are at DigiCert you would use your influence to make principled decisions even if it was uncomfortable to do so.
But would a CA that issues a few thousand certificates a year do the same? Do they even understand the impact of their decisions sufficiently to adequately asses this question?
I suppose that takes you to the earlier question that Kurt raised. Why does it matter if CAs censor?
Though we often forget this in the west the world is much larger than the English-speaking world. One reason that 2000 certificate issuing CA WebPKI exists is that the internet is a “global public resource” and that local CA is able to support users in that country in a way that the larger CAs are not able to do.
Then there is the question of what happens when Jeremy Rowley retires? Who are the individuals within DigiCert that get to decide such cases? Will they apply the same critical thinking and principled approaches to this problem?
For me, this all comes back to what will it take for the Mozilla Root Program to support its organization's mission and do so in a consistent and sustainable way that is not dependent on goodwill, expertise, and blind faith.
Ryan Hurst
Jeremy,
I wanted to respond to your other two comments.
[JR] That wasn’t proposed language. That was pointing out a flaw in saying “No censorship is allowed”.
To be clear, my proposed language did not say “no censorship is allowed”. Suggesting so would be what I think most would consider a straw man argument. What I did say, in essence, is that said censorship only when served the legal obligations of the CA or requirements of other root programs.
This in essence says if a government says we want you to censor people here is the definition we want you to follow. If a root program wants you to censor here is the standard we want you to follow and Mozilla respects their right to do so.
Basically, there needs to be a clear standard so it is applied uniformly.
[JR] This is the crux of the issue. Appropriate vs. inappropriate censorship or what is a good definition of censorship? Is not wanting to issue to Dark Matter censorship after Mozilla booted them? What about sites that are espousing hate crimes? Although there’s nothing that says a CA needs to verify the contents of a site, there’s also nothing saying the CA can’t vet the content of a website. One of my big worries with the original DMCA was being a contributory infringer for copyright violation. If I refuse issuance to Warez sites, is that censorship? A definition would be good.
Let's take the topic of hate speech. As the agent of the user Mozilla provides a number of capabilities. This includes all the supporting technology and the associated ecosystem that enables it to authenticate domain names and provide TLS.
It also supports technologies to protect its users from content and malicious names, one example being its support for Safe Browsing (I think it might be called Phishing Protection now). If Mozilla wants those it delegates verification of domain control to also protect users from malicious or hateful content it should specify what standard to apply.
Absent that CAs should be put on notice that applying opaque and subjective “good censorship” is something to be considered when they evaluate if a CA should be a member of the root program.
Ryan Hurst
I concur that censorship should be carried out transparently, with comprehensive policies documented in their CPS and any applications of that policy be published in a discoverable manner. For instance, when censorship is the reason for an order being rejected, detailed errors should be published, and possibly a CENSORED.TXT file could be published in a well-known location, similar to how SECURITY.TXT is used to identify security contacts.
I also believe that when a CA serves only a narrow or specific community, its CPS should explicitly state this. This raises questions about whether such entities should be included in the Mozilla root program, which is designed to serve the broader Mozilla community. However, that is a separate discussion.
Regardless of the outcome of this discussion, I think it is appropriate to document Mozilla's stance. This could involve adding text on Concerning Behavior, Recommending Best Practices, or updating the root program requirements themselves. Given the various gray areas that exist in this topic, It was my belief the non-binding nature of"Concerning Behavior" was appropriate which is why I mentioned it here. This is because my understanding is that this is a section of "considerations" not "prohibitions".
Ryan Hurst