Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Ambiguous wording or the Mozilla CA security reporting requirement
321 views
Skip to first unread message
Jakob Bohm
Sep 9, 2016, 7:00:15 AM9/9/16
to mozilla-dev-s...@lists.mozilla.org
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/
Only lists the following rule requiring disclosure of CA security
issues:
1. When a serious security concern is noticed, such as a major root
compromise, it should be treated as a security-sensitive bug, and the
Mozilla Policy for Handling Security Bugs should be followed.
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as issuing millions (or just hundreds) of certificates without
proper validation etc.
Am I reading something wrong, or is their an unintended loophole in the
Mozilla Policy, as written, in this regard?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Only lists the following rule requiring disclosure of CA security
issues:
1. When a serious security concern is noticed, such as a major root
compromise, it should be treated as a security-sensitive bug, and the
Mozilla Policy for Handling Security Bugs should be followed.
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as issuing millions (or just hundreds) of certificates without
proper validation etc.
Am I reading something wrong, or is their an unintended loophole in the
Mozilla Policy, as written, in this regard?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Peter Gutmann
Sep 10, 2016, 2:19:44 AM9/10/16
to Jakob Bohm, mozilla-dev-s...@lists.mozilla.org
Jakob Bohm <jb-mo...@wisemo.com> writes:
>Am I reading something wrong, or is their an unintended loophole in the
>Mozilla Policy, as written, in this regard?
A cynic would say that that's the exact intent of the policy, to ensure that
anything but a catastrophe-scale event that's so big that Mozilla can't ignore
it any more occurs, any CA problems can be simply be swept under the carpet.
Peter.
Gervase Markham
Sep 10, 2016, 8:40:29 AM9/10/16
to Jakob Bohm
On 09/09/16 11:59, Jakob Bohm wrote:
> Since a major root compromise is generally considered the worst
> possible security event for a trusted CA, this wording could easily be
> (mis?)understood not to require reporting of lesser security failures,
> such as issuing millions (or just hundreds) of certificates without
> proper validation etc.
Our position on the meaning of this clause, which (by their behaviour)
> Since a major root compromise is generally considered the worst
> possible security event for a trusted CA, this wording could easily be
> (mis?)understood not to require reporting of lesser security failures,
> such as issuing millions (or just hundreds) of certificates without
> proper validation etc.
can be said to be shared by many CAs, was set out at the very beginning
of the original mail about WoSign.
Gerv
Jakob Bohm
Sep 12, 2016, 1:38:48 PM9/12/16
to mozilla-dev-s...@lists.mozilla.org
changed to reflect its intended meaning.
This is particularly relevant as one of the CAs currently under
discussion claimed difficulty understanding that this particular rule
required them to report lesser incidents.
Message has been deleted
Kathleen Wilson
Sep 16, 2016, 12:15:12 PM9/16/16
to mozilla-dev-s...@lists.mozilla.org
Added to the list here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Accountability
And, yes, I am fully aware that a policy update is way overdue. :-(
Thanks,
Kathleen
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Accountability
And, yes, I am fully aware that a policy update is way overdue. :-(
Thanks,
Kathleen
0 new messages