On 07/10/16 17:50, Ryan Sleevi wrote:
> One possible issue with this is that there hasn't been a similar
> question about StartCom's past practices. I think that, up until the
> discussion began, particularly around the backdating of certificates,
> it might have been said the same about WoSign - that is, the view
> that the issues were 'minor'.
Hear ye, hear ye, if anyone do have any evidence of additional
malfeasance by StartCom, ye are to declare it now, or forever hold your
peace!
:-) In all seriousness, we remain open to additional submissions of
evidence which might change how we should view these things.
> We know that the investors and principles have changed, and thus the
> priorities have changed. I think, in the case of many CAs, we might
> say that, prior to their misissuance, they were well-run CAs. But
> isn't that part of the problem? By taking into perspective a
> historical view, rather than an incident-based view, it naturally
> gravitates towards favoring incumbents (those who have been able to
> operate long enough to be considered 'mature' when a misissuance
> happens), and begins to introduce subjective-based weights into a
> process that is, ideally, largely objective.
I don't think you can avoid that entirely. Let's say CA Foo and CA Bar
both simultaneously mis-issue a cert for
mozilla.org due to a bug in
their respective home-grown software stacks, and it was discovered a
week later. I think it would be weird to treat those two events exactly
the same in terms of possible sanction even if:
* CA Foo had no history of more minor incidents, but CA Bar had a long one;
* CA Foo had carefully grown its business slowly to avoid scaling
issues, but CA Bar had just served every customer who came knocking;
* CA Foo had, over the years, used best practices for secure code
development, but CA Bar had not;
* CA Foo immediately did root cause analysis and fixed the bug, but CA
Bar merely revoked the certificate and carried on.
I think these would all be relevant factors.
> The implication here - that factors such as management and technology
> bear into decision making - suggest that future inclusion or
> maintenance requests need to consider this. I don't disagree that
> these could be valuable axis' in determining trust, but I think
> historically, Mozilla's Root Store has erred on the side of
> objectivity. For example, we see discussions about particular
> countries views' on wiretaps brought up from time to time, or
> particular companies' associated businesses providing
> wiretap/intercept capabilities, but on the whole, these associations
> are rejected as being influential in the decision to include or not -
> instead, it's based on (ideally) objective evaluations against audit
> criteria and technical standards.
I think that latter example is slightly different, because such
objections are normally lodged with the absence of any evidence
whatsoever that the CA in question has done anything wrong.
> Clearly, there's a set of priorities at play here - what are the
> ultimate goals for Mozilla's Root Store? What are the things to
> prioritize?
I rather liked Ryan Hurst's five principles. :-)
> An argument for distrust is that it strongly signals to the ecosystem
> that there is a serious risk in non-compliance. As such, the greater
> the fiduciary or business risk, the greater justification there is
> for investments into policies, practices, and technologies to
> minimize that risk. If you eliminate any risks, what incentives are
> there to align on proper behaviour, especially given the economic
> structures of CA trust, such that there is no long-term reputational
> brand damage for misissuance, nor is there any way to discover it
> (from people 'outside the know'). That is, to an end user, there's no
> distinction in trust between "Honest Achmed's Gently Used
> Certificates" and "Best CA in the world" - and as such, there's no
> incentives for site operators to consider one or the other.
I agree with that, in general. But I don't think the suggestion of
having one plan for WoSign (the one outlined in my paper, which involves
a year's dis-trust, security audits and other major business disruption)
and another for StartCom (which involves significant expenditure on
their part, but does not involve a period of dis-trust) counts as
"eliminating any risk of non-compliance"!
> An argument against distrust is generally that of user impact.
> Distrust options, at present, vary in proportionality of user impact
> (generally with the size of the CA), and thus the larger the CA, the
> more difficult it can be seen to take action.
>
> But is that Mozilla's justification or set of priorities? It might be
> useful to understand what you (and other module contributors, to be
> particular, since we all may have different views) prioritize.
I try very hard to avoid considering the size of the CA, and I don't
think I've done so in this case. I favour sanctions which can be
implemented independent of CA size. I'm glad that the ecosystem is
moving towards trusted timestamps embedded in certificates, because that
will make it even easier to retire a CA, of any size, without too much
ecosystem impact.
>> I would say the key differences with Symantec are that WoSign's
>> misdemeanours involved actual misissuance to third parties (e.g
>> the github certificates) and provable lying, e.g. about ownership
>> and SHA-1 backdating. I don't see either of those serious
>> components in the Symantec case. This is not to minimise what
>> happened at Symantec, but I do think the WoSign situation is more
>> serious. But then, even before this, I think it was already the
>> case that you took a dimmer view of the happenings at Symantec than
>> I did (your view perhaps being based on more complete
>> information).
>
> This is a disconcerting viewpoint for me. It suggests that you view
> "We've sacked the people responsible" as an acceptable response, so
> long as we can't prove the CA is lying.
I think that's an over-generalisation of my position :-) Whether sacking
people is an acceptable response depends on what has happened.
> In these scenarios, should our position be to 'fail open' (and
> continue to trust the CA, with some set of remediation plan) or 'fail
> closed' (and remove the CA until it can prove it's in compliance).
I think that yoyoing CAs in and out of trustedness is disruptive to
customers. Killing a CA entirely is actually less disruptive. Removing
CAs from trustedness for minor or even medium-severity non-compliance
issues, pending compliance, is not a good strategy IMO.
>> As I said in my previous email, Qihoo's plans are enough, I think,
>> count as "data relevant to our current view" and I think we should
>> at least consider the two CAs separately, although that doesn't
>> preclude reaching the same conclusion for each.
>
> I'm uncomfortable with this, because it's a promise, with no timeline
> for delivery, and significant risk until it's met.
I hear you, but I want to wait to see what they have to say. (Soon, I
very much hope.)
>> As noted above, no agreement has been reached. However, as the
>> person who took a meeting with Qihoo's Head of Security, who will
>> now chair StartCom, I feel that he does understand the issues and I
>> am willing to give his chairmanship and Inigo Barreia's CEO-ship an
>> opportunity to demonstrate they can run a CA well. Inigo's track
>> record at Izenpe is good - I'm not aware of any incidents involving
>> them.
>
> Does this suggest that Mozilla would be willing to meet with CA
> applicants' CSO/CEOs, to get a 'gut sense' about whether they're
> "serious", and then decide to overlook failures to abide by Mozilla's
> inclusion requirements? I ask this, because I think this highlights
> some of the disconcerting disconnect with "Oh, I know Jim, Jim's a
> good guy" sort of approaches.
I think that assessing the trustworthiness of people is an unavoidable
part of assessing the trustworthiness of companies (who are made up of
people). If Richard Wang started a new CA, when it applied to the
Mozilla root program would it make a difference in the process that it
was him running it? I think it would.
>> Indeed, this would be a bad situation - which is why, in my mind,
>> a different deal for StartCom would be predicated on them moving
>> quickly to a position where they share _nothing_ with WoSign,
>> rather than everything.
>
> How, if ever, will the community be assured of this? This is
> something that's quite intangible - which is the very problem.
That's a good question. What do you think is a good way? I'd suggest a
third party system audit, with the auditor chosen by Mozilla and paid
for by StartCom. They could either verify the use of specific COTS
software, or verify the use of original StartCom software, or give a
thorough going-over to anything left that had been touched by WoSign.
Gerv