Hi folks,
We have discussed delayed revocation a bit internally and wanted to come back to the community with some thoughts.
We agree that expanding beyond the existing revocation timelines (24 hours / 5 days) is undesirable. While we think some exceptional delayed revocations are necessary as a current practicality, we do want to eventually sunset this policy. To that end, we’d like to refine our existing policy so that it is more effective and equitable during the interim.
We’re skeptical about proposals to pre-identify domains that will require delayed revocation. We expect that many sites might ask for such exceptions, and an extensive amount of deliberation would be required in order to process these requests. Worse, in practice, doubtless some sites impacted in a revocation event would not have followed the procedure, and CAs would still be left with a last-minute decision about whether a revocation will inflict substantial harm.
Instead, we would like to seek the community's feedback on the following two proposals:
Clarification of existing requirements
We would be more explicit about what would be required for delayed revocation. Some ideas include:
Explicitly clarifying that CAs must revoke certificates by default, that any delayed revocation must be the result of an explicit request by the subscriber, containing the necessary information, and meeting the requirements under such interim policy;
That subscriber requests contain a clear claim or explanation about the critical nature of the system and why timely revocation is not possible (more detailed requirements to be discussed);
That the requests are signed by a company officer, or similar legal representative, stating that the information in the request is accurate to the best of their knowledge;
That the information contained in the subscriber’s request be accurate to the CA’s understanding (e.g. not materially contradicted by other facts known to the CA);
That each granted request be published for the community (and Mozilla) to scrutinize (allowing CAs to redact PII prior to publication); and
That CAs be required to produce summary statistics in their reports (alongside the individual granted requests) detailing how many requests were received, how many were well-formed, how many were granted, etc.
Consequences of Delayed Revocation
We believe that if a domain hosts critical infrastructure that cannot tolerate timely revocation, then it is deeply damaging to the web PKI. In order to help these domains transition to effective certificate management practices and automated tooling, we propose that domains that are granted delayed revocation must then be limited to shorter-lifetime certificates as a consequence of such decision. This also ensures that future revocations impacting such domains have much less impact.
Concretely, the domains accepted for delayed revocation by a CA are already public. If this proposal were to be adopted, root programs would manage a shared list of such domains (e.g. via the CCADB) and require CAs to limit the lifetimes of certificates issued to these domains (e.g. to 90 days).
We stress that both of these proposals are presented for early feedback, and we look forward to the community’s thoughts on whether they are likely to be suitable and effective, and how they might be improved. We would also look to align these policies across the root programs in order to provide clarity for the entire community.
Thanks and best wishes,
Ben
Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/07e2ef29-85ed-4080-b8c9-a542770a294en%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7325aa62-c3b0-41b0-962d-5d44e0847c9an%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYZWhgfs23hB-Z%3DgEQCybugPrP8W4MSdnX9Y-dyoMoarA%40mail.gmail.com.
--
We would like to commend Mozilla and the CCADB members for this excellent work. It is a very strong first step in solving the rampant delayed revocation problem afflicting the WebPKI today. We expect this approach to be effective for these reasons:
· It eliminates automatic or thoughtless delayed revocation. By forcing both Subscribers and CAs to take on significant actions for each delayed revocation, it combats the common tendency we see to simply delay revocation for vast tranches or entire bodies of misissued certificates.
· It requires a true, individualized justification for each delayed revocation incident. This will help the community understand the circumstances in which existing revocation timelines are legitimate societal problems and work on solutions.
· It has a strong deterrent effect for unnecessary delays. By mandating documentation of reasons and restricting affected domains to 90-day certificates in the future, both Subscribers and CAs are motivated to hold back delays to only those cases where they are truly warranted.
· It still allows for delay in legitimate emergency cases. There does exist a failsafe for the very rare occasion where a delayed revocation is truly warranted.
· It mitigates risk for non-agile environments. Restricting domains experiencing delayed revocation to shorter-lived certificates reduces the overall risk these non-agile environments bring to the WebPKI.
· It encourages repair of the root problem. Subscribers reduced to maximum 90-day term will be strongly motivated to adopt agile processes or move to private-root PKI solutions. As Subscribers become aware of this possibility, they will be motivated to prepare in advance for revocation events to avoid this eventuality.
We wholeheartedly endorse this plan while recognizing that an additional level of detail remains to be worked out. To that effect, we have a few comments.
The plan as written restricts certificates to 90-days for affected domains regardless of issuing CA. As a mitigating measure, this makes sense. It prevents Subscribers from simply hopping to another CA to avoid solving the core agility problem. The suggested affected domains list managed by CCADB will be essential to this program working correctly. A “90-day linter” would be valuable in aiding CA compliance with this requirement. If this part of the proposal becomes enforced policy, Sectigo is very interested in creating this linter and also plugging it into pkimetal.
We believe this program strongly motivates Subscribers to become more agile with critical systems and to consider more seriously before demanding revocation delays. As such public education of the new rules will strongly affect success. We will encourage both CAs and browsers to assist in communicating these new rules clearly and broadly.
We notice that there is no end date for the 90-day certificate limit. We agree with this decision, as it seems likely that the entire ecosystem will move to this timeline in the fairly near future anyway. We will point out that the deterrent and mitigating effects of this limit are eliminated once the maximum term for all public TLS certificates drops to 90-days. Once that happens, CCADB may want to consider a shorter limit for delrev domains (30 days?) to reinstate these benefits.
Regarding which domains should be restricted to 90-days, as Matt also comments, we believe it would be essential to restrict the base, registrable domain and all subdomains under this policy. Doing otherwise would allow subscribers to get around this restriction through sub-domain hopping. While this could also be circumvented by registrable domain hopping, obviously that is considerably more difficult and comes with its own consequences.
In conversation another CA suggested that we need to deal with the issue of change of domain ownership. Our first-blush reaction is that the shortened maximum term should remain even when a domain changes hands. This is mostly for practical reasons. It prevents Subscribers from shifting domains between their own companies or other such shenanigans. It prevents M&A activity from wiping clean domains that should still be restricted to 90-days. And it removes the need to create an entire mechanism for tracking ownership changes and marrying them back to maximum term.
We hope a mechanism could exist to make the maximum allowed term of a domain generally available knowledge. That way potential buyers of domains or companies have the opportunity to account for that information before purchasing.
There does exist the possibility of a delayed revocation that is unintentional by both the CA and the Subscriber. This could owe itself to a software bug or procedural error made purely in good faith. Under these circumstances there is no agility/criticality risk indicated for the domains in question. CCADB should consider what is required here. Clearly there will be no request from the Subscriber, and the CA’s explanation will be the same for all domains, which will be the error that led to the delay. Though such a thing is very rare, it is possible.
Under these circumstances limiting affected domains to 90 days might be unnecessarily hard on Subscribers through no fault of their own. We are inclined to say in the case of a truly accidental revocation delay that this limit not be placed. Of course, this does open a potential loophole for bad-faith declarations from CAs that a revocation delay was motivated by an unwitting error. We expect that public scrutiny and reputational damage to the CA will be sufficient demotivators to prevent this kind of deceit and suggest there be a different set of requirements for unintended revocation delay. The CA should still be expected to report and explain the problem and to provide credible action items to prevent repeat of this error, just as with any other bug.
We’re skeptical about proposals to pre-identify domains that will require delayed revocation.
We expect that many sites might ask for such exceptions, and an extensive amount of deliberation would be required in order to process these requests. Worse, in practice, doubtless some sites impacted in a revocation event would not have followed the procedure, and CAs would still be left with a last-minute decision about whether a revocation will inflict substantial harm.
Clarification of existing requirements
We would be more explicit about what would be required for delayed revocation. Some ideas include:
Explicitly clarifying that CAs must revoke certificates by default, that any delayed revocation must be the result of an explicit request by the subscriber, containing the necessary information, and meeting the requirements under such interim policy;
- That subscriber requests contain a clear claim or explanation about the critical nature of the system and why timely revocation is not possible (more detailed requirements to be discussed);
- That the requests are signed by a company officer, or similar legal representative, stating that the information in the request is accurate to the best of their knowledge;
That the information contained in the subscriber’s request be accurate to the CA’s understanding (e.g. not materially contradicted by other facts known to the CA);
- That each granted request be published for the community (and Mozilla) to scrutinize (allowing CAs to redact PII prior to publication); and
Concretely, the domains accepted for delayed revocation by a CA are already public. If this proposal were to be adopted, root programs would manage a shared list of such domains (e.g. via the CCADB) and require CAs to limit the lifetimes of certificates issued to these domains (e.g. to 90 days).
- We would also look to align these policies across the root programs in order to provide clarity for the entire community.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqu2-_ByLaOFf3fadH_b7AiqGeOe3OKb7ZGZkvLiRrNOAw%40mail.gmail.com.
Thank you, this is helpful (to me at least).
> I think that this process in its current form has not served to minimize or eliminate delayed revocation.
Unlike literally every other rule, one root program had an explicit exception for just this rule. And unsurprisingly, the exception was leveraged a lot.
I don't think it's fair to describe this as being unique to Mozilla's root program, though Mozilla's expectations were more explicit--if not generally, or maybe ever, honoured in their entirety. As an example, Chrome's root program provides for Filing A(nother) Incident if the expected remediation doesn't happen in the prescribed timeframe:
"If the Chrome Root Program Participant does not perform the required follow-up actions, or does not perform them in the expected timeframe, the Chrome Root Program Participant SHOULD file a secondary incident report describing any certificates involved, the expected timeline to complete any follow-up actions, and what changes they are making to ensure they can meet these requirements consistently in the future."
(That SHOULD not being a MUST breaks my heart a little, but I think that practically it doesn't have much effect.)
Similarly, the CCADB incident process itself says:
"CA Owners should submit an additional, separate incident report when:
In what ways do you feel that those are materially different from
Mozilla's supplemental incident response guidance, other than that
unlike Mozilla's these cases are directly part of the policies?
There is a solution to "there is a pattern of incidents" available to root programs already. I do not understand why, given a pattern of incidents, the solution Mozilla is proposing is "add an exception", not either trust actions, or actually changing the rule. Either strike the rule, or don't.
Ah, this is interesting. I see the 90-day-limit as in fact being
an explicit description of a trust action that is being proposed
as Mozilla policy: we will no longer trust this subscriber-domain
to . It's a bit unusual in that it's a trust action that's
directed more at the subscriber than at the CA, but practically
that's where responsibility and agency for "critical
infrastructure" and related misuses of the Web PKI are going to
live.
Another way to imagine this rule is "Mozilla will not trust certificates with a validity period > 90 days if they are issued against a domain in this shitlist". Getting that to be the case across multiple root programs would obviously improve things for Mozilla in matters of market share realpolitik, and if CAs can be convinced not to issue in the first place then that's a better situation for all involved IMO; in terms of the effect on Mozilla's users as relying parties, though, I think they're pretty much equivalent.
As far as I can tell, Ben is not proposing a solution to "a
pattern of incidents", nor a limitation on how those might be
addressed. As I understand the proposal, this would apply to all
delayed revocation cases, including the "first offense" for any
given CA or subscriber. It doesn't take any tools out of
Mozilla's hands with respect to how to address CAs who Mozilla
feels are not acting appropriately, such as distrust or
partial-trust limitations. A separate discussion on what
constitutes a pattern of incidents, and how Mozilla might in the
future decide to respond, could be valuable, but I would not want
to do anything that kept Mozilla from being able to distrust a
root at its sole discretion.
Any proposal to add an exception to the rules, rather than actually changing the rules
I'm not sure exactly what you mean here. Adding an exception is obviously changing the rules, if you see this as adding an exception.
I see it as adding a more explicit statement of consequence to accompany "Mozilla does not grant exceptions to the BR revocation requirements". I do think that the wording on the CA/Responding _To_An_Incident page would benefit from some edits for clarity, and I think that Ben is already working on changes in that direction. The existence of that page does seem to have been taken by some CAs and perhaps subscribers as permitting delayed revocation if the administrative tasks of the additional incident are fulfilled. Mozilla's responses to such delayed revocation cases, and patterns thereof, have been more muted than I would have personally preferred, but I take these proposals as a welcome sign that Ben and the team are looking closely at how they now want to respond in cases where delayed revocation does occur.
I see now that among my comments in my earlier reply to Ben, I missed one that I wanted to make:
Having parents pick up children late from daycare is a big problem for many care providers. In order to deter such behaviour--or, if you prefer, to motivate timely pickup--some daycares institute additional fees/fines incurred when a child is picked up late. Unfortunately, this often has the opposite effect to what's desired: parents see the fee as being the fair-exchange price of arriving late, and reason on that basis. "It's worth $50 to me to not leave this meeting early." I do worry about situations where CAs and subscribers reason about the cost of migrating to a 90-day cycle versus the cost of prompt revocation, on a similar fair-exchange basis.
(If I recall correctly, the most effective means for reducing
late pickup were "N-maybe-zero-strikes after which the parents are
given 90 days to find a different daycare" or "rely on social
pressure and the human relationship and guilt and such soft
tools". The latter seems to not be especially viable for root
programs, and I don't know that a bright line N-strikes policy
would be in the interests of the web either.)
, is harmful to the ecosystem, and in particular, harmful to any root program that expects the rules and incident process to be followed.
Could you elaborate on the specific rules or process elements in
the CCADB or non-Mozilla root programs that you feel are put at
risk by providing clarity on how Mozilla plans, at least in part,
to respond to future delayed revocation cases?
Mozilla could *always* have said "we're not going to trust > 90 certs from this domain now" after a delayed revocation incident. This is not giving them new permission, because root programs can basically do whatever they want, or reducing any possible penalty. It's providing clarity about how Mozilla plans to react in the future, and how it hopes other root programs will as well. With or without this proposal being described in detail, Ben can always say "you're a 90-day domain now", and has always been able to. This is a proposal for Mozilla to make its operating policy be that it will react in a certain way to *any* delayed revocation, and to document that policy decision for the benefit of the community.
From the perspective of it being corrective rather than punitive,
a shorter limit would be more effective, because if it's setting
the upper boundary on how long revocation for a cert can be
delayed, then 90 days is still too high. I'm OK with it relying on
the punitive element and it creating better incentives for
automation, and this policy wouldn't prevent Mozilla from setting
a shorter limit on a domain's certs whenever it felt that was
appropriate.
Mike
Dear Ben,
Thanks a lot for your effort which is highly appreciated.
SwissSign would prefer option 2 (Consequences of Delayed Revocation) over option 1 as an interim policy change. The reason being that it has nudges the customer toward automation. However we believe that there are some customers who really struggle with automation and we believe it is important to get more insights into what exactly their problems are.
Additionally, from a customer point of view (as well as the whole PKI community) it would be important to outline the final target state that such an interim policy change would work towards including the time frame of the final state.
From our previous delayed revocation, we know that:
All these are not problems that a CA alone can fix. All we can do is educate, support to the best of our abilities and revoke on time.
Finally, we think that we should consider if TLS and S/MIME should be treated the same or not. To this, we currently don't have a position/preference.
Kind regards
Sandy Balzer / SwissSign team
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYZWhgfs23hB-Z%3DgEQCybugPrP8W4MSdnX9Y-dyoMoarA%40mail.gmail.com.