CA Organizational Suitability: discussion questions

[Gervase Markham]

Having now read all the mails on this subject in the Teliasonera thread,
I think there are a few fundamental questions we would need to answer
before making policy in this area.

1) Does Mozilla support the principle of "lawful intercept" or not?

Or, to put it another way, do we think it is automatically wrong for any
government to read the communications of its citizens or others in any
and every circumstance?

If we do not think this is automatically wrong in all circumstances,
then we will have to work out what kinds of lawful intercept we think
are OK, and which governments we are OK with doing them, whether it's OK
to compel companies to help them (secretly) by using the certificate
system, and whether it's OK for us to enforce our ideas of what's OK on
everyone else. And this, of course, will be an enormous discussion. The
trouble is that I think that most people (including me, at least at the
moment) think that there are circumstances where it's OK for governments
to do this for the purposes of law enforcement, with the right
safeguards. And historically and in the most part, societies have agreed
with a proportionate right for the government to do this (e.g. with
snail mail), although many countries appear to be having trouble
adapting those proportionate principles to the Internet age, and/or
preserving said safeguards. However, even among people who agree that
such circumstances exist, there is probably disagreement about what
those circumstances are.

While this is a big question, it's also crucial - I can forsee a lot of
people talking past each other if there is no consensus on this question.

2) What evidence does Mozilla accept when assessing a CA?

If we do decide to put in place some standards of behaviour, association
or business practice, how do we evaluate whether a CA has violated them?

I am strongly of the opinion that it is not reasonable to try a
potential or existing CA in the court of public opinion. We need
evidence. Actual certs (e.g. used for MITM) are the best evidence (as
it's cryptographically strong), probably followed by a statement from
the company itself that it does <thing> that we have decided not to
allow. Where things get murkier are if a journalist writes an "exposé"
which can't be verified through other sources.

And as Mozilla hasn't got the resources to pay people to do all the
necessary research into each business ourselves, so it could be that
whether a CA gets in or not depends more on the number and motivation of
the people who are bothering to investigate for us rather than on a
level-headed comparison of what they are up to with other CAs we've
accepted or rejected.

Also, particularly in the case of government CAs, there are as many ways
of being "associated with government" as there are CAs. How do we decide
when a CA is "too close", given that any government almost certainly has
a mechanism to compel a CA under its jurisdiction to issue a cert,
whether or not that CA is a government CA.

3) How do we choose assessment criteria?

Many criteria have been suggested - government of a "repressive regime",
sells technology to "repressive regimes", and so on. There are a load of
complex and deeply political definitional issues here, and we should be
under no illusion that defining such things is privileging some
cultures, governmental structures, and societal arrangements above others.

Speaking entirely personally, I have no problem saying that one culture
and way of doing things is superior to another (I'd say the cultures
which are closest to Christian thought and behaviour are better :-) but
I am certain that other people will have different criteria and some
people would want to argue strongly for no criteria at all, because to
do so would be "cultural imperialism". So I can imagine this being an
enormous argument as well.

4) What impact would some of these proposed policies have?

It would be unfortunate and destabilising if we decided on a principle
which, in practice, meant we had to distrust most of the public certs on
the Internet. While we might be able to manage the problem somewhat
using sunset dates, that would probably have a significant effect on
Mozilla's public image (in some circles for good, others for bad) and
Firefox's market share (probably in the downwards direction). Mozilla's
mission is a wide one, including more than just "prevent governments
from spying on people" (some might argue that it doesn't include that at
all) and much of it is underpinned by our continued success. The world
is bigger than the concerns of mozilla.dev.security.policy.

This is not an argument for or against any particular policy, it's an
argument for not making public statements like "CAs may not be in the
business of providing surveillance equipment" before we investigate how
many CAs are actually in that business, what impact kicking them all out
would have, and whether banning them from doing that would actually
improve user security in plausible scenarios.

Gerv

[Jan Schejbal]

Am 2013-03-19 10:49, schrieb Gervase Markham:
> whether it's OK to compel companies to help them (secretly) by using
> the certificate system

In my opinion, a CA's job is to correctly certify that a key belongs to
a certain person or organization. Issuing a certificate that claims
"this key belongs to google.com" while the key is actually held by the
police is willful misissuance of a certificate.

There should be a clear consensus that a willful misissuance will in all
cases, without any wiggle room, lead to exclusion from the list of
trusted CAs, which will destroy the CA in practice.

This is also important to protect the CAs from being compelled to
misissue certificates: It will be much harder to argue that a CA can be
compelled to do something if this "something" will destroy the company.

It is also required to ensure that a CA will have a strong motivation to
fight such requests instead of just taking the easy way out and complying.

> Also, particularly in the case of government CAs, there are as many
> ways of being "associated with government" as there are CAs. How do
> we decide when a CA is "too close", given that any government almost
> certainly has a mechanism to compel a CA under its jurisdiction to
> issue a cert, whether or not that CA is a government CA.

Given the above consequences, I doubt that all governments have a
(legal) mechanism to compel a CA to misissue a certificate. I am pretty
sure that most western jurisdictions have some kind of requirement that
the action must be "reasonable", and a CA facing the risk of being
destroyed if the false certificate is discovered will use all legal
means to prevent misissuance.

I think that it should not matter if the CA is associated with a
government. What should matter is the honest answer to the question "do
we expect this CA to do its job well and not to misissue certificates?"

That, in turn, is nearly impossible to decide based on some kind of
fixed criteria, as it is a decision of trust. Unfortunately, I don't
have a good solution for this either. A good general rule could be "if
the CA or any organization to which it has close ties has been involved
in active attacks against users, they cannot be trusted".

This of course leaves "close ties" and "attacks" open for definition and
requiring proof. While a MitM attack is a clear-cut case of an attack,
where do we draw the line at DNS spoofing? Censorship like China does?
Censorship like UK does? Redirecting nonexisting domains to ad pages
like some providers do? Where do we draw the line on malware
distribution? Bundled toolbars that install themselves without user
consent? Consent hidden in the EULA? Consent via a checkbox checked by
default?

If we attempt to set fixed rules, we will probably fail. A voting-based
approach where a group of respected members of the IT/ITSec community
(chosen e.g. by Mozilla) simply vote on the question
"Do you trust that this organization will not misissue certificates?"
and the CA gets added only if 50%/66.7%/75%/90%/100% of them answer yes
may be the easiest and best solution.

Kind regards
Jan

--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

[Gervase Markham]

On 21/03/13 21:33, Jan Schejbal wrote:
> Am 2013-03-19 10:49, schrieb Gervase Markham:
>> whether it's OK to compel companies to help them (secretly) by using
>> the certificate system

Jan: it seems that your answer to this third question in this section is
No. Can you answer the first two questions as well? Do you believe
there's such a thing as "lawful intercept"? If you do, when is it OK and
when not? And (again, if you do) why is "lawful intercept" in general OK
but "lawful intercept using certs" not OK?

> It is also required to ensure that a CA will have a strong motivation to
> fight such requests instead of just taking the easy way out and complying.

And if the CA loses in the legal system in its own jurisdiction, having
fought all the way, that still should be the end of its business?

> Given the above consequences, I doubt that all governments have a
> (legal) mechanism to compel a CA to misissue a certificate. I am pretty
> sure that most western jurisdictions have some kind of requirement that
> the action must be "reasonable", and a CA facing the risk of being
> destroyed if the false certificate is discovered will use all legal
> means to prevent misissuance.

I am pretty certain there is legislation in both the US and UK which
could be used to compel a CA to issue a certificate and not tell anyone
about it. It may not be the case that all governments have this
legislation, but the point still stands if only a proportion do.
Particularly if they are the ones were many CAs are based.

The fact that the CA faces being destroyed doesn't change the legal
situation about whether this can be done legally or not.

> If we attempt to set fixed rules, we will probably fail. A voting-based
> approach where a group of respected members of the IT/ITSec community
> (chosen e.g. by Mozilla) simply vote on the question
> "Do you trust that this organization will not misissue certificates?"
> and the CA gets added only if 50%/66.7%/75%/90%/100% of them answer yes
> may be the easiest and best solution.

How would you choose such a group? Surely that simply means that Mozilla
abdicates the responsibility for setting policy and passes it to this group?

This sounds a lot like "trial in the court of public opinion" to me,
even if the members of the public concerned are more knowledgeable about
certificates than average.

Gerv

[Rob Stradling]

On 22/03/13 13:22, Gervase Markham wrote:
<snip>

> I am pretty certain there is legislation in both the US and UK which
> could be used to compel a CA to issue a certificate and not tell anyone
> about it.

Certificate Transparency will address this. With CT, "not tell anyone
about it" means that the certificate cannot be used.

Hmmm...now I'm wondering if the legislators will want to make CT
illegal, on the grounds that it prevents them from doing "lawful
intercept using certs"!

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Phillip Hallam-Baker]

Don't rule out the possibility that one half of the NSA is pushing CT
precisely to stop the other half of the NSA from doing wireless
intercepts.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy



--
Website: http://hallambaker.com/

[Kyle Hamilton]

I forgot to hit reply-all. Oops.
---------- Forwarded message ----------
From: "Kyle Hamilton" <kya...@kyanha.net>
Date: Mar 22, 2013 7:51 AM
Subject: Re: CA Organizational Suitability: discussion questions
To: <jan.sche...@gmx.de>

It is clear to me that we have an issue which would be best addressed with
a non-harmful (because of redundancy at customer) temporary voluntary
withdrawal from the trust list.

This of course would require that customers have multiple certs which all
certify the same public key (though many CAs prohibit this), or having a
non-breaking certificate multi-bundle. You know, like my Envelope
structure.

Everyone is approaching this as though it can be stopped by policy alone.
It can't.

I do not believe that there is -ever- any acceptable reason for any
government to forge signatures, and that's what allowing them to compel
certificate issuance amounts to. "Here, we'll sell you a pen that's
specific to you." and "We're willing to sell or give you a pen that's
functionally identical to that one." This is material breach.

-Kyle H

On Mar 21, 2013 2:33 PM, "Jan Schejbal" <jan.sche...@gmx.de> wrote:

> Am 2013-03-19 10:49, schrieb Gervase Markham:

> > whether it's OK to compel companies to help them (secretly) by using

> > the certificate system
>
> In my opinion, a CA's job is to correctly certify that a key belongs to
> a certain person or organization. Issuing a certificate that claims
> "this key belongs to google.com" while the key is actually held by the
> police is willful misissuance of a certificate.
>
> There should be a clear consensus that a willful misissuance will in all
> cases, without any wiggle room, lead to exclusion from the list of
> trusted CAs, which will destroy the CA in practice.
>
> This is also important to protect the CAs from being compelled to
> misissue certificates: It will be much harder to argue that a CA can be
> compelled to do something if this "something" will destroy the company.
>

> It is also required to ensure that a CA will have a strong motivation to
> fight such requests instead of just taking the easy way out and complying.
>
>

> > Also, particularly in the case of government CAs, there are as many
> > ways of being "associated with government" as there are CAs. How do
> > we decide when a CA is "too close", given that any government almost
> > certainly has a mechanism to compel a CA under its jurisdiction to
> > issue a cert, whether or not that CA is a government CA.
>

> Given the above consequences, I doubt that all governments have a
> (legal) mechanism to compel a CA to misissue a certificate. I am pretty
> sure that most western jurisdictions have some kind of requirement that
> the action must be "reasonable", and a CA facing the risk of being
> destroyed if the false certificate is discovered will use all legal
> means to prevent misissuance.
>

> I think that it should not matter if the CA is associated with a
> government. What should matter is the honest answer to the question "do
> we expect this CA to do its job well and not to misissue certificates?"
>
> That, in turn, is nearly impossible to decide based on some kind of
> fixed criteria, as it is a decision of trust. Unfortunately, I don't
> have a good solution for this either. A good general rule could be "if
> the CA or any organization to which it has close ties has been involved
> in active attacks against users, they cannot be trusted".
>
> This of course leaves "close ties" and "attacks" open for definition and
> requiring proof. While a MitM attack is a clear-cut case of an attack,
> where do we draw the line at DNS spoofing? Censorship like China does?
> Censorship like UK does? Redirecting nonexisting domains to ad pages
> like some providers do? Where do we draw the line on malware
> distribution? Bundled toolbars that install themselves without user
> consent? Consent hidden in the EULA? Consent via a checkbox checked by
> default?
>

> If we attempt to set fixed rules, we will probably fail. A voting-based
> approach where a group of respected members of the IT/ITSec community
> (chosen e.g. by Mozilla) simply vote on the question
> "Do you trust that this organization will not misissue certificates?"
> and the CA gets added only if 50%/66.7%/75%/90%/100% of them answer yes
> may be the easiest and best solution.
>

> Kind regards
> Jan
>
> --
> Please avoid sending mails, use the group instead.
> If you really need to send me an e-mail, mention "FROM NG"
> in the subject line, otherwise my spam filter will delete your mail.
> Sorry for the inconvenience, thank the spammers...

[Kyle Hamilton]

Or, you could set 'nonrepudiation' in the original cert, and refuse to set
it in any non-entity certificate. The grounds: "it would permit you to
sign contracts that could not be distinguished without expert assistance in
the courts."

-Kyle H
On Mar 21, 2013 2:33 PM, "Jan Schejbal" <jan.sche...@gmx.de> wrote:

> Am 2013-03-19 10:49, schrieb Gervase Markham:

> > whether it's OK to compel companies to help them (secretly) by using

> > the certificate system
>
> In my opinion, a CA's job is to correctly certify that a key belongs to
> a certain person or organization. Issuing a certificate that claims
> "this key belongs to google.com" while the key is actually held by the
> police is willful misissuance of a certificate.
>
> There should be a clear consensus that a willful misissuance will in all
> cases, without any wiggle room, lead to exclusion from the list of
> trusted CAs, which will destroy the CA in practice.
>
> This is also important to protect the CAs from being compelled to
> misissue certificates: It will be much harder to argue that a CA can be
> compelled to do something if this "something" will destroy the company.
>
> It is also required to ensure that a CA will have a strong motivation to
> fight such requests instead of just taking the easy way out and complying.
>
>

> > Also, particularly in the case of government CAs, there are as many
> > ways of being "associated with government" as there are CAs. How do
> > we decide when a CA is "too close", given that any government almost
> > certainly has a mechanism to compel a CA under its jurisdiction to
> > issue a cert, whether or not that CA is a government CA.
>

[Jan Schejbal]

Am 2013-03-22 14:22, schrieb Gervase Markham:
> why is "lawful intercept" in general OK
> but "lawful intercept using certs" not OK?

No matter the stance on lawful intercept, the job of the CA system is to
correctly certify identity. Lawful intercept using certs is
misrepresentation of identity. Allowing this opens a deep deep hole that
should not be opened.

Let's turn it around: If we say that "lawful intercept using certs" is
OK, we basically say that we intentionally weaken existing technical
protections to allow totalitarian countries to eavesdrop on activists
(lawfully according to their laws).

This is not a stance I want anyone to take, and certainly not Mozilla,
the organization that claims to protect its users.

There is another problem with allowing "lawful interception"
certificates to be issued: A rogue country could get a lawful
interception sub-CA, issue arbitrary certs for arbitrary domains, do
some BGP rerouting, and suddenly attack traffic that goes from me, a
German citizen in Germany, to a server of a German company in Germany
(i.e. outside their jurisdiction). I expect Mozilla to take technical
countermeasures against this (i.e. yank the root). With a "LI using
certs is OK" approach, Mozilla could only watch as their users get
pwned. (The CA just complied with the law, the government is the one
exceeding their jurisdiction.)

> And if the CA loses in the legal system in its own jurisdiction, having
> fought all the way, that still should be the end of its business?

Yes. If a CA is unable to do its job, i.e. correcty certify identity
without misrepresenting it, no matter the reason, then the CA is unable
to be a CA.

Also, I have pointed out that this is kind of a self-fulfilling
prophecy: If we tolerate CAs misissuing certificates for "lawful
intercept" after they fought it in court, it becomes much more probable
that they will be compelled. If we make clear that mississuing means the
CA is gone, the CA has much better chance to fend it off. Politicans are
also less likely to enact laws that would mean that CAs could not
operate in their jurisdiction, since that would not achieve their aim
(get LI certificates) but simply drive companies out of the country.

> The fact that the CA faces being destroyed doesn't change the legal
> situation about whether this can be done legally or not.

I am not a lawyer, but I am pretty sure that in Germany, the
constitutional court would rule a law that would force the CA to face
destruction unconstitutional, while the same law would be OK if the CA
would not face destruction. Also, I think that regular courts would rule
any demand that would risk the destruction of the company unreasonable,
while the same demand that would not bear this risk may be considered
reasonable.

If you look at https://www.eff.org/files/colour_map_of_CAs.pdf, Germany
may not have that many root CAs, but it certainly has a lot of CAs.

Even if a CA can be compelled, I think that in most jurisdictions, the
government would be liable to cover the costs/damages of the CA. If that
cost is the total revenue of the company, the government might think
twice before attempting to compel the CA.

> The fact that the CA faces being destroyed doesn't change the legal
> situation about whether this can be done legally or not.

Even assuming this is true (which I am not sure about, as explained
above), it does make a practical difference:

Without strong deterrents ("if you do this, your CA is gone"), companies
are much more likely not to contest attempts to compel them. Without a
deterrent, they have to choose between simply doing what the government
says, with no real risk to their business, or contesting it, which will
cost them a lot of lawyer fees. With such a deterrent in place, they
will be motivated to fight for their life. Knowing that, the government
will also be less likely to attempt to compel them, since it is less
likely to succeed quickly.

It also motivates CAs to protect themselves from compelled requests.
Companies move around countries to evade taxes all the time, they will
be willing to create appropriate legal entities (and move their HSM if
necessary) when provided with the correct motivation. It's not like they
have to move their entire office and operations, just enough stuff so
the remainder of the company is technically and/or legally unable to
comply with any compelled requests.


[Group deciding which CAs should be trusted]

> How would you choose such a group?

Most probably, Mozilla would appoint the members. I don't know how
Mozilla's regular decision-making process looks like, but I assume
neither the process nor the people involved are optimal for making lots
of trust decisions about individual CAs.

> This sounds a lot like "trial in the court of public opinion" to me,

It probably is. While a strict policy-based approach may be considered
"fairer", it is nearly impossible to formalize trust, and this is a
decision about trust.

Kind regards,

[Kyle Hamilton]

+1.0E10000 (aka 1 googolplex)

What is the technical difference between web certs and email certs? In
NSS, there is none. Once you have LI certs, you have also opened companies
to political espionage by people appearing to have legitimate governmental
identity credentials. This is the thing that the third-party attestation
function is explicitly supposed to prevent.

The capacity of a CA to attest to exactly whom the certificate was issued
is violated the instant it's placed under a gag order. Whether you want
lawful intercept or not, that's a fundamental abrogation of the CA's duty.

I agree with Jan. This can't be allowed or condoned, it simply can't.

If it is, then we're back to the "everybody is a CA" model of PGP's web of
trust, because nobody can trust the claims of any commercial CA, and
Mozilla has wasted some incredible amount of money on a program provided
only as snake oil.

Isn't that a violation of fair labeling standards and consumer protection
law, as well as an abhorrent violation of Mozilla's principles? Whose side
are you on, the government's or the user's?

More specifically: does any government provide any grants to Mozilla, or
does its income come solely from donations and interest on investments? If
the government isn't paying the piper, then the government can't get to
call the tune.

-Kyle H

On Mar 23, 2013 3:41 AM, "Jan Schejbal" <jan.sche...@gmx.de> wrote:

> Am 2013-03-22 14:22, schrieb Gervase Markham:

> > why is "lawful intercept" in general OK
> > but "lawful intercept using certs" not OK?
>

> No matter the stance on lawful intercept, the job of the CA system is to
> correctly certify identity. Lawful intercept using certs is
> misrepresentation of identity. Allowing this opens a deep deep hole that
> should not be opened.
>
> Let's turn it around: If we say that "lawful intercept using certs" is
> OK, we basically say that we intentionally weaken existing technical
> protections to allow totalitarian countries to eavesdrop on activists
> (lawfully according to their laws).
>
> This is not a stance I want anyone to take, and certainly not Mozilla,
> the organization that claims to protect its users.
>
> There is another problem with allowing "lawful interception"
> certificates to be issued: A rogue country could get a lawful
> interception sub-CA, issue arbitrary certs for arbitrary domains, do
> some BGP rerouting, and suddenly attack traffic that goes from me, a
> German citizen in Germany, to a server of a German company in Germany
> (i.e. outside their jurisdiction). I expect Mozilla to take technical
> countermeasures against this (i.e. yank the root). With a "LI using
> certs is OK" approach, Mozilla could only watch as their users get
> pwned. (The CA just complied with the law, the government is the one
> exceeding their jurisdiction.)
>
>

> > And if the CA loses in the legal system in its own jurisdiction, having
> > fought all the way, that still should be the end of its business?
>

> Yes. If a CA is unable to do its job, i.e. correcty certify identity
> without misrepresenting it, no matter the reason, then the CA is unable
> to be a CA.
>
> Also, I have pointed out that this is kind of a self-fulfilling
> prophecy: If we tolerate CAs misissuing certificates for "lawful
> intercept" after they fought it in court, it becomes much more probable
> that they will be compelled. If we make clear that mississuing means the
> CA is gone, the CA has much better chance to fend it off. Politicans are
> also less likely to enact laws that would mean that CAs could not
> operate in their jurisdiction, since that would not achieve their aim
> (get LI certificates) but simply drive companies out of the country.
>

> > The fact that the CA faces being destroyed doesn't change the legal
> > situation about whether this can be done legally or not.
>

> I am not a lawyer, but I am pretty sure that in Germany, the
> constitutional court would rule a law that would force the CA to face
> destruction unconstitutional, while the same law would be OK if the CA
> would not face destruction. Also, I think that regular courts would rule
> any demand that would risk the destruction of the company unreasonable,
> while the same demand that would not bear this risk may be considered
> reasonable.
>
> If you look at https://www.eff.org/files/colour_map_of_CAs.pdf, Germany
> may not have that many root CAs, but it certainly has a lot of CAs.
>
> Even if a CA can be compelled, I think that in most jurisdictions, the
> government would be liable to cover the costs/damages of the CA. If that
> cost is the total revenue of the company, the government might think
> twice before attempting to compel the CA.
>
>

> > The fact that the CA faces being destroyed doesn't change the legal
> > situation about whether this can be done legally or not.
>

> Even assuming this is true (which I am not sure about, as explained
> above), it does make a practical difference:
>
> Without strong deterrents ("if you do this, your CA is gone"), companies
> are much more likely not to contest attempts to compel them. Without a
> deterrent, they have to choose between simply doing what the government
> says, with no real risk to their business, or contesting it, which will
> cost them a lot of lawyer fees. With such a deterrent in place, they
> will be motivated to fight for their life. Knowing that, the government
> will also be less likely to attempt to compel them, since it is less
> likely to succeed quickly.
>
> It also motivates CAs to protect themselves from compelled requests.
> Companies move around countries to evade taxes all the time, they will
> be willing to create appropriate legal entities (and move their HSM if
> necessary) when provided with the correct motivation. It's not like they
> have to move their entire office and operations, just enough stuff so
> the remainder of the company is technically and/or legally unable to
> comply with any compelled requests.
>
>
> [Group deciding which CAs should be trusted]

> > How would you choose such a group?
>

> Most probably, Mozilla would appoint the members. I don't know how
> Mozilla's regular decision-making process looks like, but I assume
> neither the process nor the people involved are optimal for making lots
> of trust decisions about individual CAs.
>

> > This sounds a lot like "trial in the court of public opinion" to me,
>

> It probably is. While a strict policy-based approach may be considered
> "fairer", it is nearly impossible to formalize trust, and this is a
> decision about trust.
>
> Kind regards,

> Jan
>
> --
> Please avoid sending mails, use the group instead.
> If you really need to send me an e-mail, mention "FROM NG"
> in the subject line, otherwise my spam filter will delete your mail.
> Sorry for the inconvenience, thank the spammers...

[Gervase Markham]

On 23/03/13 19:13, Kyle Hamilton wrote:
> I agree with Jan. This can't be allowed or condoned, it simply can't.

So are you saying "lawful intercept is always wrong", or are you saying
"it's not always wrong, but it's always wrong to use the cert system to
do it, because of the possible consequences"?

> More specifically: does any government provide any grants to Mozilla, or
> does its income come solely from donations and interest on investments? If
> the government isn't paying the piper, then the government can't get to
> call the tune.

Mozilla's financial information is available here:
http://www.mozilla.org/foundation/documents/

Gerv

[Gervase Markham]

On 23/03/13 10:41, Jan Schejbal wrote:
> Let's turn it around: If we say that "lawful intercept using certs" is
> OK, we basically say that we intentionally weaken existing technical
> protections to allow totalitarian countries to eavesdrop on activists
> (lawfully according to their laws).

Er, no. If you read what I wrote carefully, I am not saying that we need
to take a position of either "lawful intercept is always wrong", or
"lawful intercept is always OK".

My first question is: is it _always_ wrong? If it is not always wrong,
then we have to get into deciding when it's wrong and when it's not.

> This is not a stance I want anyone to take, and certainly not Mozilla,
> the organization that claims to protect its users.

No-one is taking that stance. Please try and discuss the issue with more
nuance.

>> And if the CA loses in the legal system in its own jurisdiction, having
>> fought all the way, that still should be the end of its business?
>
> Yes. If a CA is unable to do its job, i.e. correcty certify identity
> without misrepresenting it, no matter the reason, then the CA is unable
> to be a CA.
>
> Also, I have pointed out that this is kind of a self-fulfilling
> prophecy: If we tolerate CAs misissuing certificates for "lawful
> intercept" after they fought it in court, it becomes much more probable
> that they will be compelled. If we make clear that mississuing means the
> CA is gone, the CA has much better chance to fend it off. Politicans are
> also less likely to enact laws that would mean that CAs could not
> operate in their jurisdiction, since that would not achieve their aim
> (get LI certificates) but simply drive companies out of the country.

These are good points. There is moral hazard in allowing this; if we do,
it's likely to happen more often.

> If you look at https://www.eff.org/files/colour_map_of_CAs.pdf, Germany
> may not have that many root CAs, but it certainly has a lot of CAs.

(I believe that number is skewed by the unusual (but legal and
reasonable) practices of one German academic network.)

Gerv

[Chris Palmer]

On Fri, Mar 22, 2013 at 6:22 AM, Gervase Markham <ge...@mozilla.org> wrote:

> I am pretty certain there is legislation in both the US and UK which
> could be used to compel a CA to issue a certificate and not tell anyone
> about it.

I am not certain that is true — but, also, we are not knowledgeable
about the law; we are hackers.

That said, take a look at the recent fun related to National Security
Letters. Their prior restraint on speech is pretty anthithetical to
established First Amendment principles, and at least one federal court
now agrees. Expect increased entertainment during the appeals
process...

https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules

> It may not be the case that all governments have this
> legislation, but the point still stands if only a proportion do.
> Particularly if they are the ones were many CAs are based.
>

> The fact that the CA faces being destroyed doesn't change the legal
> situation about whether this can be done legally or not.

I'm pretty sure it does, or can, at least in the US. US laws that
require e.e. service providers to cooperate with the government often
have something to say about the "reasonable cost" of the cooperation,
sometimes even mandating that the government remunerate the private
entity to some extent. Surely, "cooperation would destroy our ability
to compete in the marketplace" would count as an "unreasonable" cost,
although those things tend to be heavily litigated and subject to
significant interpretation.

Again, though, we are not lawyers. Perhaps we could get some
background information from actual lawyers before continuing this line
of discussion. :)

For the time being, I am happy to treat misissuance as partly a
technical problem, and to partly handle it by technical means (CT, key
pinning, TACK, whatever). It will never be wholly a technical problem,
and as technicians, parts of the problem will be outside our area of
expertise.

[Zack Weinberg]

On 2013-03-25 7:52 AM, Gervase Markham wrote:
> On 23/03/13 10:41, Jan Schejbal wrote:
>> Let's turn it around: If we say that "lawful intercept using certs" is
>> OK, we basically say that we intentionally weaken existing technical
>> protections to allow totalitarian countries to eavesdrop on activists
>> (lawfully according to their laws).
>
> Er, no. If you read what I wrote carefully, I am not saying that we need
> to take a position of either "lawful intercept is always wrong", or
> "lawful intercept is always OK".
>
> My first question is: is it _always_ wrong? If it is not always wrong,
> then we have to get into deciding when it's wrong and when it's not.

I would like to stick in here that I think "we do not permit lawful
intercept using certs under any circumstances, _because_ we are not
institutionally prepared to reason about what circumstances might make
it acceptable" is a valid and reasonable position for Mozilla to take.

zw

[secgu...@yandex.com]

Quoting ge...@mozilla.org

> Having now read all the mails on this subject in the Teliasonera thread,
> I think there are a few fundamental questions we would need to answer
> before making policy in this area.
>
> 1) Does Mozilla support the principle of "lawful intercept" or not?
>
> Or, to put it another way, do we think it is automatically wrong for any
> government to read the communications of its citizens or others in any
> and every circumstance?
>

The answers to this two questions must not be neccessarily the same.
Regardless whether governments in any jurisdiction (are allowed to) read
the communications of its citizens or foreigners, it should not be
Mozillas job to support it.

Lowering the bar in policies for root certificate inclusions in a way of
preemptive obedience to allow law enforcement bodies to misuse the CA
infrastructure opens a can of worms.
Mozilla then has to argue, that government A in country B is allowed to
do C, while government D of country E is allowed to do F, but not C.
Perhaps government D is entitled to contract a private corporation,
doing F and C in B and abroad.

Where to draw the line? Neither Mozilla nor the community are able to
judge all varied cases, not to mention consensus. The only solution is
zero tolerance for improper use of included certificates.

Otherwise we give compelled CA companies the excuse "Mozillas policy
allowed us to collaborate with the government" and the user will
rightly blame Mozilla.

The point of enforcing "lawful intercept" is, that the law forces you to
do something that you are not doing voluntarily. If Mozillas policy is
willing to support and assist right from the beginning, the included CAs
are an unneccessary easy target. "Lawful interceptors" will be
encouraged to tamper with the CA business instead of forcing the
service providers to handover communication data.


Another question and in my opinion the only possible point of discussion
is in what Mozilla trusts with root inclusion and so where to stop with
zero tolerance:
a. only trust in the the proper use of the included certificate(s) of
specific CA
b. even require no misuse of not included certificates of this CA
c. issuer of the certificate in compliance with zero tolerance policy
all the time
d. CA company without fault
e. CA owners or its owning corporation/government always on users side
f. law enforcement agencies of the country where the CA company is
seated never tampering with the CA business
g. governmental punishment for every misissuance of certificates in its
whole jurisdiction
h. no interception of communications in any and every circumstance
allowed in whole country
...

Hoping you get my point.
After deciding how far to climb this ladder and ensuring that Mozilla
and its community can control the lower rungs, apply a policy of zero
tolerance.


[...]
>
> Gerv
>


All the best.
sg

[Eddy Nigg]

On 03/19/2013 11:49 AM, From Gervase Markham:

> 1) Does Mozilla support the principle of "lawful intercept" or not?

I assume it's NOT - simply put, the Mozilla CA Policy has clear
requirements what a CA MUST do in order to issue a certificate. The BR
helps in this respect and nowhere does the BR nor the Mozilla CA Policy
state the a CA may issue a certificate without doing those minimum
requirements set forth by those policies.

More than that, CAs have usually policies in place which state the
requirements it placed upon itself in order to issue a certificate too.
We would have to find a CA that explicitly states that it would issue
certificate against the BR and Mozilla Policy in order to discuss
anything that variates from those policies.

Finally, Mozilla and probably the CAB Forum too would have to change
their policies and requirements first stating that there is a clause to
override those requirements. And probably nobody wants that.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[Rob Stradling]

On 25/03/13 11:52, Gervase Markham wrote:
<snip>

> My first question is: is it _always_ wrong? If it is not always wrong,
> then we have to get into deciding when it's wrong and when it's not.

Gerv, forgive me if I'm putting words into your mouth, but you seem to
be implying here that the Mozilla CA Policy MUST allow everything that
is "not wrong" (by some definition of "wrong"). I don't think Mozilla
should feel forced to set the bar that low, and I think we can avoid
having to "get into deciding when it's wrong and when it's not".

There's nothing "wrong" with 1024-bit RSA keys from a Legal, Moral or
Cryptographic perspective, but nonetheless the Mozilla CA Policy says
that they must be phased out at the end of this year. Is somebody
suddenly going to crack 1024-bit RSA sometime this year? Probably not.
But Mozilla has concluded that it no longer has confidence that
<2048-bit RSA possesses sufficient security properties for these
keysizes to be permitted by the Mozilla CA Policy.

Can we all agree that - at the very least - "lawful intercept" is "not
always right"? If so, then I think Mozilla could reasonably conclude
that (just as with 1024-bit RSA) it does not have confidence that
"lawful intercept" possesses sufficient security properties for it to be
permitted by the Mozilla CA Policy.

[Phillip Hallam-Baker]

I get rather worried about this sort of discussion remembering the
outcome of the cryptowars. People spent a lot of time making sure
IPSEC and S/MIME were proof against interception by Louis Freeh and
they succeeded.

Almost no thought went into how people would be able to use the
resulting technology which has ended up practically unused as a
result.

[Henri Sivonen]

On Tue, Mar 19, 2013 at 11:49 AM, Gervase Markham <ge...@mozilla.org> wrote:
> 1) Does Mozilla support the principle of "lawful intercept" or not?

I'm inclined to think that this isn't the right question.

For example, an anti-virus vendor might think that $CRIME is worth
jail time. Still, it doesn't follow that the anti-virus vendor should,
as part of its scan of its users' files, search for evidence of
$CRIME. Doing that would harm the trust the users place in the
anti-virus vendor, since a product would not be working exclusively
for the user but would also be working for some third-party
enforcement entity.

Also, it might be otherwise disadvantageous to participate in
enforcing rules against the user for the benefit of a third party. For
example, Mozilla fought font DRM. AFAIK, not from a position that
users should be able to pirate fonts but from not wishing to have
liability under anti-circumvention laws for failed DRM enforcement. So
"Does Mozilla support the principle of copyright on 'font software'?"
would have been missing the point.

TLS is about intercept-free communications. I would expect the role of
TLS implementation provider to be providing the means for
intercept-free communications to their users. I expect the trust
relationship between users and the provider of a TLS implementation
would be hurt if the provider of the TLS implementation voluntarily
enabled intercept.

(IANAL, but I thought that "lawful intercept" laws compelled operators
of communication networks to facilitate lawful intercept, but didn't
require providers of endpoint software who don't also operate the
communication network to do anything in particular. That's why I said
"voluntarily" above.)

--
Henri Sivonen
hsiv...@iki.fi
http://hsivonen.iki.fi/

[Rob Stradling]

Phill, are you saying that you're worried that TLS and the Web PKI might
become "practically unused as a result" of "this sort of discussion" ?

[Phillip Hallam-Baker]

On Tue, Mar 26, 2013 at 11:06 AM, Rob Stradling
<rob.st...@comodo.com> wrote:
> On 26/03/13 12:15, Phillip Hallam-Baker wrote:
>>
>> I get rather worried about this sort of discussion remembering the
>> outcome of the cryptowars. People spent a lot of time making sure
>> IPSEC and S/MIME were proof against interception by Louis Freeh and
>> they succeeded.
>>
>> Almost no thought went into how people would be able to use the
>> resulting technology which has ended up practically unused as a
>> result.
>
>
> Phill, are you saying that you're worried that TLS and the Web PKI might
> become "practically unused as a result" of "this sort of discussion" ?

No but we can easily cut off our nose to spite our face here.

We can also spend an inordinate amount of time attempting to develop
schemes that are undeployable because they would make the Web PKI
unacceptable to site owners.


--
Website: http://hallambaker.com/

[Gervase Markham]

On 25/03/13 19:19, Zack Weinberg wrote:
> I would like to stick in here that I think "we do not permit lawful
> intercept using certs under any circumstances, _because_ we are not
> institutionally prepared to reason about what circumstances might make
> it acceptable" is a valid and reasonable position for Mozilla to take.

Yes, I entirely agree that it would be.

Gerv

[Gervase Markham]

On 26/03/13 11:10, Rob Stradling wrote:
> Gerv, forgive me if I'm putting words into your mouth, but you seem to
> be implying here that the Mozilla CA Policy MUST allow everything that
> is "not wrong" (by some definition of "wrong"). I don't think Mozilla
> should feel forced to set the bar that low, and I think we can avoid
> having to "get into deciding when it's wrong and when it's not".

Well, sort of.

If one supports the principle of lawful intercept (in some
circumstances), then presumably one supports it not because it's simply
"not wrong" but because it's a necessary part of the government doing
its job of protecting the citizenry from those who would do them harm.
Therefore, unnecessary obstruction to the administration of justice in
this way is something Mozilla might want to avoid.

> There's nothing "wrong" with 1024-bit RSA keys from a Legal, Moral or
> Cryptographic perspective, but nonetheless the Mozilla CA Policy says
> that they must be phased out at the end of this year.

I dispute the addition of "cryptographic" to your list; the entire point
of the phase-out is that they are cryptographically within a margin of
unacceptable risk. If they weren't, we'd still be using them.

> Can we all agree that - at the very least - "lawful intercept" is "not
> always right"? If so, then I think Mozilla could reasonably conclude
> that (just as with 1024-bit RSA) it does not have confidence that
> "lawful intercept" possesses sufficient security properties for it to be
> permitted by the Mozilla CA Policy.

Are you basically saying what Zack just said, or something a little
different?

Gerv

[Gervase Markham]

On 25/03/13 18:52, Chris Palmer wrote:
> I'm pretty sure it does, or can, at least in the US. US laws that
> require e.e. service providers to cooperate with the government often
> have something to say about the "reasonable cost" of the cooperation,
> sometimes even mandating that the government remunerate the private
> entity to some extent. Surely, "cooperation would destroy our ability
> to compete in the marketplace" would count as an "unreasonable" cost,
> although those things tend to be heavily litigated and subject to
> significant interpretation.

This is a good point; I withdraw that particular assertion.

Gerv

[Rob Stradling]

On 27/03/13 09:33, Gervase Markham wrote:
> On 26/03/13 11:10, Rob Stradling wrote:

>> Gerv, forgive me if I'm putting words into your mouth, but you seem to
>> be implying here that the Mozilla CA Policy MUST allow everything that
>> is "not wrong" (by some definition of "wrong"). I don't think Mozilla
>> should feel forced to set the bar that low, and I think we can avoid
>> having to "get into deciding when it's wrong and when it's not".
>

> Well, sort of.
>
> If one supports the principle of lawful intercept (in some
> circumstances), then presumably one supports it not because it's simply
> "not wrong" but because it's a necessary part of the government doing
> its job of protecting the citizenry from those who would do them harm.
> Therefore, unnecessary obstruction to the administration of justice in
> this way is something Mozilla might want to avoid.

I'm not sure about "If...then...because it's a necessary part".

I don't doubt that "lawful intercept" is a useful tool for governments,
but I'd be surprised if administering justice became impossible just
because that particular tool was made unavailable.

>> There's nothing "wrong" with 1024-bit RSA keys from a Legal, Moral or
>> Cryptographic perspective, but nonetheless the Mozilla CA Policy says
>> that they must be phased out at the end of this year.
>

> I dispute the addition of "cryptographic" to your list; the entire point
> of the phase-out is that they are cryptographically within a margin of
> unacceptable risk. If they weren't, we'd still be using them.

OK.

>> Can we all agree that - at the very least - "lawful intercept" is "not
>> always right"? If so, then I think Mozilla could reasonably conclude
>> that (just as with 1024-bit RSA) it does not have confidence that
>> "lawful intercept" possesses sufficient security properties for it to be
>> permitted by the Mozilla CA Policy.
>

> Are you basically saying what Zack just said, or something a little
> different?

I'm basically saying what Zack just said. (Sorry, I must have missed
Zack's message before).

[Phillip Hallam-Baker]

On Wed, Mar 27, 2013 at 5:34 AM, Gervase Markham <ge...@mozilla.org> wrote:
> On 25/03/13 18:52, Chris Palmer wrote:

>> I'm pretty sure it does, or can, at least in the US. US laws that
>> require e.e. service providers to cooperate with the government often
>> have something to say about the "reasonable cost" of the cooperation,
>> sometimes even mandating that the government remunerate the private
>> entity to some extent. Surely, "cooperation would destroy our ability
>> to compete in the marketplace" would count as an "unreasonable" cost,
>> although those things tend to be heavily litigated and subject to
>> significant interpretation.
>

> This is a good point; I withdraw that particular assertion.

We went through all this at considerable length in the cryptowars. At
one point we had to sell server gated crypto certs so that the NSA
could break communications but allegedly nobody else could. Then the
40 bit crypto was broken. We had long arguments with the FBI.

Intercepting communications probably isn't as interesting as dropping
backdoors onto the endpoints or retrieving static data like files from
them. I suspect that the reason the intelligence and Law Enforcement
agencies backed off interception is that static data reveals more.
That and people started to realize Freeh was simply incompetent. He
had no clue as to the value of the data he was demanding he should be
allowed to collect.

Mechanisms like CT might be useful as a means of discouraging states
from coercing issue of a certificate. But I can't see a good way to
protect the browser providers from a National Security Letter or the
like. The US court system has found a lot of ways to ignore the
constitution since 9/11 and the UK courts don't even need to pretend.


--
Website: http://hallambaker.com/

[Gervase Markham]

On 27/03/13 10:51, Rob Stradling wrote:
> I don't doubt that "lawful intercept" is a useful tool for governments,
> but I'd be surprised if administering justice became impossible just
> because that particular tool was made unavailable.

There are few surveillance tools without which administering justice
becomes impossible - it's always a matter of degree. Which is what makes
discussions about what should and shouldn't be allowed, with or without
what safeguard, so complex.

>> Are you basically saying what Zack just said, or something a little
>> different?
>
> I'm basically saying what Zack just said. (Sorry, I must have missed
> Zack's message before).

No criticism, BTW - just getting confirmation of agreement :-)

Gerv

[Phillip Hallam-Baker]

On Wed, Mar 27, 2013 at 2:45 PM, Gervase Markham <ge...@mozilla.org> wrote:
> On 27/03/13 10:51, Rob Stradling wrote:

>> I don't doubt that "lawful intercept" is a useful tool for governments,
>> but I'd be surprised if administering justice became impossible just
>> because that particular tool was made unavailable.
>

> There are few surveillance tools without which administering justice
> becomes impossible - it's always a matter of degree. Which is what makes
> discussions about what should and shouldn't be allowed, with or without
> what safeguard, so complex.

It is pretty difficult to pull off something like Operation Ajax
without the ability to intercept government communications.

I think that there is a reason that military coups pretty much stopped
completely in the mid 1970s and I think it is the same reason that
some of us were being harassed during the cryptowars.

Operation Ajax (the 1953 coup that snuffed out democracy in the Middle
East) looks like a completely ridiculous plan unless they had the
advantage of knowing which army officers would back a coup and which
ones to murder.

--
Website: http://hallambaker.com/

[Gervase Markham]

OK.

On 19/03/13 09:49, Gervase Markham wrote:
> 1) Does Mozilla support the principle of "lawful intercept" or not?

It seems like the consensus answer to this question is: Mozilla takes no
position on the rightness or wrongness of government surveillance in
particular circumstances. However, we are not prepared to accept "we
were compelled by law or government" as a mitigating factor in a case of
CA misconduct or misissuance.

One corollary of explicitly not taking a position on lawful intercept is
that we should not bar an organization from being a CA because it or an
affiliated company is in the lawful intercept business. (Because that
would be taking a position, which we have said we are not going to do.)

Now, how about questions 2 and 3 and 4, particularly 3?

Gerv

> 2) What evidence does Mozilla accept when assessing a CA?
>
> If we do decide to put in place some standards of behaviour, association
> or business practice, how do we evaluate whether a CA has violated them?
>
> I am strongly of the opinion that it is not reasonable to try a
> potential or existing CA in the court of public opinion. We need
> evidence. Actual certs (e.g. used for MITM) are the best evidence (as
> it's cryptographically strong), probably followed by a statement from
> the company itself that it does <thing> that we have decided not to
> allow. Where things get murkier are if a journalist writes an "exposé"
> which can't be verified through other sources.
>
> And as Mozilla hasn't got the resources to pay people to do all the
> necessary research into each business ourselves, so it could be that
> whether a CA gets in or not depends more on the number and motivation of
> the people who are bothering to investigate for us rather than on a
> level-headed comparison of what they are up to with other CAs we've
> accepted or rejected.

>
> Also, particularly in the case of government CAs, there are as many ways
> of being "associated with government" as there are CAs. How do we decide
> when a CA is "too close", given that any government almost certainly has
> a mechanism to compel a CA under its jurisdiction to issue a cert,
> whether or not that CA is a government CA.
>

> 3) How do we choose assessment criteria?
>
> Many criteria have been suggested - government of a "repressive regime",
> sells technology to "repressive regimes", and so on. There are a load of
> complex and deeply political definitional issues here, and we should be
> under no illusion that defining such things is privileging some
> cultures, governmental structures, and societal arrangements above others.
>
> Speaking entirely personally, I have no problem saying that one culture
> and way of doing things is superior to another (I'd say the cultures
> which are closest to Christian thought and behaviour are better :-) but
> I am certain that other people will have different criteria and some
> people would want to argue strongly for no criteria at all, because to
> do so would be "cultural imperialism". So I can imagine this being an
> enormous argument as well.
>
> 4) What impact would some of these proposed policies have?
>
> It would be unfortunate and destabilising if we decided on a principle
> which, in practice, meant we had to distrust most of the public certs on
> the Internet. While we might be able to manage the problem somewhat
> using sunset dates, that would probably have a significant effect on
> Mozilla's public image (in some circles for good, others for bad) and
> Firefox's market share (probably in the downwards direction). Mozilla's
> mission is a wide one, including more than just "prevent governments
> from spying on people" (some might argue that it doesn't include that at
> all) and much of it is underpinned by our continued success. The world
> is bigger than the concerns of mozilla.dev.security.policy.
>
> This is not an argument for or against any particular policy, it's an
> argument for not making public statements like "CAs may not be in the
> business of providing surveillance equipment" before we investigate how
> many CAs are actually in that business, what impact kicking them all out
> would have, and whether banning them from doing that would actually
> improve user security in plausible scenarios.
>
> Gerv
>

[Zack Weinberg]

On 2013-03-29 6:17 AM, Gervase Markham wrote:
> OK.
>
> On 19/03/13 09:49, Gervase Markham wrote:
>> 1) Does Mozilla support the principle of "lawful intercept" or not?
>
> It seems like the consensus answer to this question is: Mozilla takes no
> position on the rightness or wrongness of government surveillance in
> particular circumstances. However, we are not prepared to accept "we
> were compelled by law or government" as a mitigating factor in a case of
> CA misconduct or misissuance.
>
> One corollary of explicitly not taking a position on lawful intercept is
> that we should not bar an organization from being a CA because it or an
> affiliated company is in the lawful intercept business. (Because that
> would be taking a position, which we have said we are not going to do.)

In *my* head anyway, that doesn't follow. Even if we're declining to
take a position on whether "lawful intercept" is right or wrong, we can
(and IMO should) recognize that there is a direct conflict of interest
between being in the CA business and being in the lawful-intercept
business, and insist that organizations be one or the other.

zw

[Phillip Hallam-Baker]

Since I was in both businesses for eight years, I can't see the logic there.

The only CA that I know of to work in Lawful Intercept was VeriSign. That
particular business involved processing the writs, subpoenas etc. issued by
the courts, determining whether they were authentic, determining if it was
possible to comply, if so what actions to take and then telling the
customer what to actually do.

It was exactly the type of service that I would expect an organization like
Mozilla to benefit from if it was running a Web Service like browser
history or a webmail system or the like and receiving a non trivial number
of subpoenas.

Putting the process in the hands of a third party has an economic benefit
(the costs are borne by Law Enforcement) and also a security benefit as it
means that there is a dual control in place checking the demands.

There is a big difference between managing a Lawful Intercept program for a
client and knowingly issuing a false credential to compromise an
authentication mechanism.

In the case of the telephone system there is no authentication mechanism to
bypass.

On Fri, Mar 29, 2013 at 8:42 PM, Zack Weinberg <za...@panix.com> wrote:

> On 2013-03-29 6:17 AM, Gervase Markham wrote:
>

>> OK.
>>
>> On 19/03/13 09:49, Gervase Markham wrote:
>>
>>> 1) Does Mozilla support the principle of "lawful intercept" or not?
>>>
>>
>> It seems like the consensus answer to this question is: Mozilla takes no
>> position on the rightness or wrongness of government surveillance in
>> particular circumstances. However, we are not prepared to accept "we
>> were compelled by law or government" as a mitigating factor in a case of
>> CA misconduct or misissuance.
>>
>> One corollary of explicitly not taking a position on lawful intercept is
>> that we should not bar an organization from being a CA because it or an
>> affiliated company is in the lawful intercept business. (Because that
>> would be taking a position, which we have said we are not going to do.)
>>
>

> In *my* head anyway, that doesn't follow. Even if we're declining to take
> a position on whether "lawful intercept" is right or wrong, we can (and IMO
> should) recognize that there is a direct conflict of interest between being
> in the CA business and being in the lawful-intercept business, and insist
> that organizations be one or the other.
>
> zw
>

> ______________________________**_________________
> dev-security-policy mailing list
> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>



--
Website: http://hallambaker.com/

[Jan Schejbal]

Am 2013-03-25 20:19, schrieb Zack Weinberg:
>
> I would like to stick in here that I think "we do not permit lawful
> intercept using certs under any circumstances, _because_ we are not
> institutionally prepared to reason about what circumstances might make
> it acceptable" is a valid and reasonable position for Mozilla to take.

Thank you, that is exactly what I was thinking about.

[Jan Schejbal]

Am 2013-03-29 11:17, schrieb Gervase Markham:
> One corollary of explicitly not taking a position on lawful intercept is
> that we should not bar an organization from being a CA because it or an
> affiliated company is in the lawful intercept business. (Because that
> would be taking a position, which we have said we are not going to do.)

My view on this is: A company can only be a CA if we believe that they
will perform certificate issuance only according to policy. If there is
any indication that the CA will violate policy (no matter why), they
can't be a CA.

If we think that the CA can separate its CA part and LI part and not
abuse one (i.e. violate policy) to support the other, then being in the
LI business does not stop a company from being a CA.

If we assume that any LI/CA company is willing to intentionally misissue
to support the LI business, such a company must not be accepted as a CA.

I, personally, would not consider being in the LI business sufficient
indication *by itself* that the CA is willing to misissue.

[ch...@soghoian.net]

Phillip's message makes it sound like VeriSign was merely providing outsourced clerical and legal assistance to companies that couldn't afford to employ expensive surveillance lawyers in-house. As he describes it, VeriSign determined if it was possible to comply with the surveillance order, and then merely passed on the info to the customer (the ISP) which would then perform the surveillance.

VeriSign's public marketing materials in fact suggest that the company provided a bit more than just neutral legal analysis of incoming requests:

"Just like voice networks, wireless data technologies need a simple, non-disruptive and cost-effective intercept solution," said Raj Puri, VP of NetDiscovery Services for VeriSign Telecommunication Services. "We have the ability to access virtually any packet data network and by using mediation equipment deployed in our network, VeriSign can provide a secure, reliable, cost-efficient solution that enables carriers with GPRS or CDMA 1x technologies to comply with all lawful intercept requirements without impacting network performance."

"As the need for lawful intercept solutions continues to expand globally, VeriSign intends to remain in the forefront of development of innovative, trusted solutions that balance the needs of homeland security with the needs of communications service providers and their customers in the U.S. and abroad," said Puri.

See: http://xml.coverpages.org/NetDiscovery.html

As a practical matter, I don't think a Certificate Authority should be in the business of balancing "the needs of homeland security with the needs of communications service providers and their customers in the U.S. and abroad." I want certificate authorities to issue honest, reliable certificates, and nothing else.

TeliaSonera doesn't perform the boring outsourced legal analysis that Phillip describes. Instead, the company willingly permitted a few really nasty governments to install interception equipment onto their network.

See: http://www.thelocal.se/40334/20120418/

"In Azerbaijan, Belarus, and Uzbekistan, for example, there is a system called Sorm which is connected to TeliaSonera's network and which allows authorities complete access to the countries' telecom system."

See also: http://www.wired.com/dangerroom/2012/12/russias-hand/all/ (describing in detail the Russian made SORM mass interception system)

Letting a government intelligence agency silently capture your customer's traffic is about the most untrustworthy thing a telco can do. Remember the reaction from the Internet community when we learned that AT&T had permitted the NSA to install a bunch of equipment in room 641A in its Folsom Street facility in San Francisco? (see: http://en.wikipedia.org/wiki/Room_641A).

AT&T violated the privacy of its customers, as did TeliaSonera. Neither should be permitted to be in the Certificate Authority business.

It shouldn't take direct evidence that the Certificate Authority granting powers have been abused before TeliaSonera is kicked out of the trust database. Permitting the installation of mass interception equipment should be enough - particularly when the intercept system is SORM, in which the ISP has no idea which of its users are being monitored, and cannot detect, prevent or speak out about specific abuses.

A Certificate Authority should be trustworthy. TeliaSonera has proven they cannot be trusted.

[Phillip Hallam-Baker]

On Sun, Mar 31, 2013 at 4:13 AM, <ch...@soghoian.net> wrote:

>
> VeriSign's public marketing materials in fact suggest that the company
> provided a bit more than just neutral legal analysis of incoming requests:
>

Most people would think twice before using the phrases 'public marketing
materials' and 'in fact' in the same sentence.

If the type of capability suggested in the marketing material was possible
in the manner suggested, why would there be any need for a subpoena in the
first place? The only justification for a subpoena is that the specified
party can deliver information that they could not obtain themselves.

As for what was going on in Folsom Street, all the available information
suggests that was an example of an unlawful intercept which is another
issue entirely.

--
Website: http://hallambaker.com/

[Gervase Markham]

On 30/03/13 00:42, Zack Weinberg wrote:
> In *my* head anyway, that doesn't follow. Even if we're declining to
> take a position on whether "lawful intercept" is right or wrong, we can
> (and IMO should) recognize that there is a direct conflict of interest
> between being in the CA business and being in the lawful-intercept
> business, and insist that organizations be one or the other.

Why is being in the lawful intercept business, from Mozilla's point of
view, different from being in any other business? Saying that it is
different, and that CAs should not be allowed to be in it, is taking a
position on the goodness/rightness (or otherwise) of lawful intercept. I
don't think you can have this one both ways.

Gerv

[Gervase Markham]

On 30/03/13 04:31, Jan Schejbal wrote:
> If we assume that any LI/CA company is willing to intentionally misissue
> to support the LI business, such a company must not be accepted as a CA.
>
> I, personally, would not consider being in the LI business sufficient
> indication *by itself* that the CA is willing to misissue.

Well, that would be a reasonable position, as long as it didn't become a
proxy for something else. For example, if someone (not suggesting it
would be you) said "I think any CA based in China is willing to
intentionally misissue certificates to support the LI business, whereas
any CA based in the US is not".

Gerv

[Moudrick M. Dadashov]

On 4/1/2013 3:25 PM, Gervase Markham wrote:
> On 30/03/13 00:42, Zack Weinberg wrote:

>> In *my* head anyway, that doesn't follow. Even if we're declining to
>> take a position on whether "lawful intercept" is right or wrong, we can
>> (and IMO should) recognize that there is a direct conflict of interest
>> between being in the CA business and being in the lawful-intercept
>> business, and insist that organizations be one or the other.

> Why is being in the lawful intercept business, from Mozilla's point of
> view, different from being in any other business? Saying that it is
> different, and that CAs should not be allowed to be in it, is taking a
> position on the goodness/rightness (or otherwise) of lawful intercept. I
> don't think you can have this one both ways.

The answer depends what your definition of CA is. I'm still looking for
something more or less generally defined term under the Mozilla policy.
No success yet.
Should the policy make a difference between a CA who "makes for a
living" from the certification activities and an umbrella company whose
business covers the whole infrastructure and whose revenues from the
certification activity is less than 0.0000000001% of its total revenues?
Add here, like in TeliaSonera case, physical communication, voice and
data network (including IP, backbone/transit, last mile), DNS, web
hosting, data center businesses under the same umbrella, is there a room
for any independent security assessment here? I'm not talking about a
perfectly designed and implemented corruption infrastructure which in
my opinion also need to be part of the term "business practice". Do you
agree that before deciding how god or bad the devil is, we should define
what actually the devil is?

Thanks,
M.D.
> Gerv
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[secgu...@yandex.com]

Quoting gerv:

> On 30/03/13 04:31, Jan Schejbal wrote:

>> If we assume that any LI/CA company is willing to intentionally misissue
>> to support the LI business, such a company must not be accepted as a CA.
>>
>> I, personally, would not consider being in the LI business sufficient
>> indication *by itself* that the CA is willing to misissue.
>

> Well, that would be a reasonable position, as long as it didn't become a
> proxy for something else. For example, if someone (not suggesting it
> would be you) said "I think any CA based in China is willing to
> intentionally misissue certificates to support the LI business, whereas
> any CA based in the US is not".
>
> Gerv

Misissuing certs in the past shall result in the deletion of the root
inclusion.
Positive decisions on new inclusions require trust in the future absence
of cert abuse.

While it is necessary that the CA is unwilling to misissue, that is not
sufficient to gain the trust. Trust is and must be hard to earn and easy
to lose. Otherwise it is only hope.

If the CA is in the jurisdiction of a country, where it is (legally)
possible to force the CA to misissue certs without even talking about
it, Mozilla shall not trust this CA and its root certificate on behalf
of Mozillas useres, who are most likely in different jurisdictions.
What is called "lawful intercept" in one country, might be criminal
espionage in the other.

All the best.
sg

[Gervase Markham]

On 01/04/13 18:25, secgu...@yandex.com wrote:
> If the CA is in the jurisdiction of a country, where it is (legally)
> possible to force the CA to misissue certs without even talking about
> it, Mozilla shall not trust this CA and its root certificate on behalf
> of Mozillas useres, who are most likely in different jurisdictions.

See my question 4. There is some chance (people have argued both ways)
that adopting this policy would require kicking out all US-based CAs.
I'm not sure that would make Mozilla users as a whole more secure.

Gerv

[Kyle Hamilton]

What is the purpose of the CA? "The Third-Party Attestation Function."

Any more than that, and the CA is necessarily compromised by conflicting
requirements.

-Kyle H

On Mon, Apr 1, 2013 at 8:10 AM, Moudrick M. Dadashov <m...@ssc.lt> wrote:

> On 4/1/2013 3:25 PM, Gervase Markham wrote:
>
>> On 30/03/13 00:42, Zack Weinberg wrote:
>>

>>> In *my* head anyway, that doesn't follow. Even if we're declining to
>>> take a position on whether "lawful intercept" is right or wrong, we can
>>> (and IMO should) recognize that there is a direct conflict of interest
>>> between being in the CA business and being in the lawful-intercept
>>> business, and insist that organizations be one or the other.
>>>

>> Why is being in the lawful intercept business, from Mozilla's point of
>> view, different from being in any other business? Saying that it is
>> different, and that CAs should not be allowed to be in it, is taking a
>> position on the goodness/rightness (or otherwise) of lawful intercept. I
>> don't think you can have this one both ways.
>>
> The answer depends what your definition of CA is. I'm still looking for
> something more or less generally defined term under the Mozilla policy. No
> success yet.
> Should the policy make a difference between a CA who "makes for a living"
> from the certification activities and an umbrella company whose business
> covers the whole infrastructure and whose revenues from the certification
> activity is less than 0.0000000001% of its total revenues? Add here, like
> in TeliaSonera case, physical communication, voice and data network
> (including IP, backbone/transit, last mile), DNS, web hosting, data center
> businesses under the same umbrella, is there a room for any independent
> security assessment here? I'm not talking about a perfectly designed and
> implemented corruption infrastructure which in my opinion also need to be
> part of the term "business practice". Do you agree that before deciding how
> god or bad the devil is, we should define what actually the devil is?
>
> Thanks,
> M.D.
>
> Gerv
>>

>> ______________________________**_________________
>> dev-security-policy mailing list
>> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
>> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>>
>
>
>

[Kyle Hamilton]

There's actually a (moderately convoluted) way to deal with this: start a
CA in a location where there's regulation which prohibits misissuance of
certificates (like Nevada), and get into a contract with the state which
requires that only properly-issued certificates could be minted (by perhaps
making those certificates useful for e.g. filing taxes, an even more
important function to a state than enforcing law).

Then extend cross-certification to other CAs, on a "the CEO or an officer
must manually request a renewal every 72 hours" basis. Use knowledge that
only that person has, setting it up so that if a renewal is requested the
person might miskey it, with precisely the same workflow and UI as if they
had put in the correct authentication code. The only difference between
the two would be that the improper keying would also instantly add the
minted certificate to the CRL and push a new CRL.

(From a LI perspective, the way this might work is if revocation wasn't
enabled at the client device, giving a very narrow window of time to do
whatever interception was appropriate on a per-operation basis.)

Given that any cross-certification would necessarily be done under the
aegis of Nevada law which felonizes the violation of a contract with the
state, there is no way that any out-of-state court could legitimately
compel the commission of a felony in another jurisdiction.

Or maybe I'm misreading this California constitutional clause which says
"No person shall be required to perform any act which is unlawful."

-Kyle H

On Thu, Apr 4, 2013 at 2:02 AM, Gervase Markham <ge...@mozilla.org> wrote:

> On 01/04/13 18:25, secgu...@yandex.com wrote:

> > If the CA is in the jurisdiction of a country, where it is (legally)
> > possible to force the CA to misissue certs without even talking about
> > it, Mozilla shall not trust this CA and its root certificate on behalf
> > of Mozillas useres, who are most likely in different jurisdictions.
>

> See my question 4. There is some chance (people have argued both ways)
> that adopting this policy would require kicking out all US-based CAs.
> I'm not sure that would make Mozilla users as a whole more secure.
>
> Gerv
>

[Phillip Hallam-Baker]

I am not aware of any LI scheme that works by mis-issue of certs, let alone
those issued off a public root.

The telephone intercept schemes make use of the fact that there is no
authentication in the system whatsoever. If you have access to the switches
you can put whatever junk into them you like.

It is something of a mystery to me that this has not resulted in merry heck.


The UK system is even more 'interesting'. System-X has a built in mechanism
that allows any landline to be turned into a passive microphone receiver.

They were doing all this long before public key cryptography was known to
exist, let alone commercial CAs established.

On Thu, Apr 4, 2013 at 5:09 PM, Kyle Hamilton <kya...@kyanha.net> wrote:

> What is the purpose of the CA? "The Third-Party Attestation Function."
>
> Any more than that, and the CA is necessarily compromised by conflicting
> requirements.
>
> -Kyle H
>
>
> On Mon, Apr 1, 2013 at 8:10 AM, Moudrick M. Dadashov <m...@ssc.lt> wrote:
>
> > On 4/1/2013 3:25 PM, Gervase Markham wrote:
> >
> >> On 30/03/13 00:42, Zack Weinberg wrote:
> >>

> >>> In *my* head anyway, that doesn't follow. Even if we're declining to
> >>> take a position on whether "lawful intercept" is right or wrong, we can
> >>> (and IMO should) recognize that there is a direct conflict of interest
> >>> between being in the CA business and being in the lawful-intercept
> >>> business, and insist that organizations be one or the other.
> >>>

> > _______________________________________________
> > dev-security-policy mailing list
> > dev-secur...@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
> >
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

--
Website: http://hallambaker.com/

[Kyle Hamilton]

If you're talking to your bank, the bank can be subpoenaed.
If you're talking to your credit card processor, the processor can be
subpoenaed.
If you're talking to someone you're scamming, the scammed person has the
communications.
If you're talking to a conspirator, there are multiple machines where the
communication can be found.
There is no reason at all to accept that "lawful intercept" schemes must be
implemented as fraudulent certificates. There is even less reason to
accept that they should be implemented as forcing somebody to sign
something known to be false.

-Kyle H

On Thu, Apr 4, 2013 at 2:36 PM, Phillip Hallam-Baker <hal...@gmail.com>wrote:

> I am not aware of any LI scheme that works by mis-issue of certs, let
> alone those issued off a public root.
>
> The telephone intercept schemes make use of the fact that there is no
> authentication in the system whatsoever. If you have access to the switches
> you can put whatever junk into them you like.
>
> It is something of a mystery to me that this has not resulted in merry
> heck.
>
>
> The UK system is even more 'interesting'. System-X has a built in
> mechanism that allows any landline to be turned into a passive microphone
> receiver.
>
> They were doing all this long before public key cryptography was known to
> exist, let alone commercial CAs established.
>
>
>
>
> On Thu, Apr 4, 2013 at 5:09 PM, Kyle Hamilton <kya...@kyanha.net> wrote:
>
>> What is the purpose of the CA? "The Third-Party Attestation Function."
>>
>> Any more than that, and the CA is necessarily compromised by conflicting
>> requirements.
>>
>> -Kyle H
>>
>>
>> On Mon, Apr 1, 2013 at 8:10 AM, Moudrick M. Dadashov <m...@ssc.lt> wrote:
>>
>> > On 4/1/2013 3:25 PM, Gervase Markham wrote:
>> >
>> >> On 30/03/13 00:42, Zack Weinberg wrote:
>> >>

>> >>> In *my* head anyway, that doesn't follow. Even if we're declining to
>> >>> take a position on whether "lawful intercept" is right or wrong, we
>> can
>> >>> (and IMO should) recognize that there is a direct conflict of interest
>> >>> between being in the CA business and being in the lawful-intercept
>> >>> business, and insist that organizations be one or the other.
>> >>>

[Phillip Hallam-Baker]

Which is what I would expect anyone receiving such a purported subpoena
would tell the court that issued it.

I am not aware of a precedent for a court forcing a third party to
knowingly issue a fraudulent instrument to enable lawful intercept. Nor am
I aware of an act that would authorize law enforcement to make such a
demand.



Making declarative statements about hypothetical situations is a stupid
approach. It gives a lot of opportunity for posturing but does nothing to
change behavior.

>>> >>> In *my* head anyway, that doesn't follow. Even if we're declining to
>>> >>> take a position on whether "lawful intercept" is right or wrong, we
>>> can
>>> >>> (and IMO should) recognize that there is a direct conflict of
>>> interest
>>> >>> between being in the CA business and being in the lawful-intercept
>>> >>> business, and insist that organizations be one or the other.
>>> >>>

--
Website: http://hallambaker.com/

[Moudrick M. Dadashov]

do you think Mozilla policy should have some definitions for these:

CA - ? (any CA?)
Publicly trusted CA (or CA issuing certificates to Public) - (Mozilla
Root program member?)

Thanks,
M.D.

On 4/5/2013 12:09 AM, Kyle Hamilton wrote:
> What is the purpose of the CA? "The Third-Party Attestation Function."
>
> Any more than that, and the CA is necessarily compromised by
> conflicting requirements.
>
> -Kyle H
>
>
> On Mon, Apr 1, 2013 at 8:10 AM, Moudrick M. Dadashov <m...@ssc.lt
> <mailto:m...@ssc.lt>> wrote:
>
> On 4/1/2013 3:25 PM, Gervase Markham wrote:
>
> On 30/03/13 00:42, Zack Weinberg wrote:
>

> In *my* head anyway, that doesn't follow. Even if we're
> declining to
> take a position on whether "lawful intercept" is right or
> wrong, we can
> (and IMO should) recognize that there is a direct conflict
> of interest
> between being in the CA business and being in the
> lawful-intercept
> business, and insist that organizations be one or the other.
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> <mailto:dev-secur...@lists.mozilla.org>

> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> <mailto:dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>

[Eddy Nigg]

On 04/05/2013 01:02 AM, From Moudrick M. Dadashov:

> do you think Mozilla policy should have some definitions for these:
>

Folks, why not simply stick to the Mozilla CA Policy, why invent
anything else? It clearly says when and why a certificate can be issued
and under which circumstances and requirements (the minimum). Mozilla
already took a stance clearly with its own policy - this is the bar that
has to be met.

A certificate authority that can't or doesn't want to comply to that
requirement can't be accepted.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[Jan Schejbal]

Am 2013-04-05 00:08, schrieb Eddy Nigg:
> A certificate authority that can't or doesn't want to comply to that
> requirement can't be accepted.

I agree with this. However, I feel that a clarification that fake certs
for LI are not allowed under policy and will be met with removal of the
root would not be bad. This way, everyone knows not to do it, and if
they do, there is a bigger chance that Mozilla will actually be willing
to take consequences, even if this means "breaking the web" in the short
term because the CA thinks it's too big to fail.

[Phillip Hallam-Baker]

If someone credibly threatens a member of CA staff with murder or jail
rather than issue a certificate then they are going to issue the
certificate.

I find it rather ridiculous that people are even debating that. Sorry but
the purpose of the SSL certificate scheme was to enable and protect
Internet commerce. If you have a different requirement then you should use
a different technology that is suited to the purpose.

Paypal, Bank of America and the rest all tolerate huge fraud rates rather
than lose business. You are suggesting that we have to put life above their
profits.

Sorry but that is stupid and wrong. I know that it is an issue where people
think that there is an absolute case to be made but that is simply wrong.
Security is risk management, not risk elimination.


What we should do is to focus on best practices that can mitigate the risk
of coercion. For example the long standing multi-party controls schemes
taken from NSA practice, transparency, etc.

I am not prepared to put the lives of my staff or any other CA ahead of
your ideological preening.

On Fri, Apr 5, 2013 at 9:34 AM, Jan Schejbal <jan.sche...@gmx.de>wrote:

> Am 2013-04-05 00:08, schrieb Eddy Nigg:

> > A certificate authority that can't or doesn't want to comply to that
> > requirement can't be accepted.
>

> I agree with this. However, I feel that a clarification that fake certs
> for LI are not allowed under policy and will be met with removal of the
> root would not be bad. This way, everyone knows not to do it, and if
> they do, there is a bigger chance that Mozilla will actually be willing
> to take consequences, even if this means "breaking the web" in the short
> term because the CA thinks it's too big to fail.
>
> Kind regards,
> Jan
>
> --
> Please avoid sending mails, use the group instead.
> If you really need to send me an e-mail, mention "FROM NG"
> in the subject line, otherwise my spam filter will delete your mail.
> Sorry for the inconvenience, thank the spammers...

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

[ch...@soghoian.net]

Although it may be the policy of your employer to cave in to government threats, not every CA is in the same boat. It is nice, however, to know now that Comodo will fold like a cheap suit if its engineers are threatened by a government.

From my 2010 paper on Gov Interception Attacks Against SSL : http://files.cloudprivacy.net/ssl-mitm.pdf

For example, a representative from one CA has informed us that his organization's disaster contingency plans include court orders, and that
his technical infrastructure includes a "kill switch" that enables him to move to a new physical location, and nullify data at the data center [26].

[26] Eddy Nigg. Email conversation with author, March 27 2010

[Phillip Hallam-Baker]

Actually I didn't write the Comodo guidelines. If it is a matter of
personnel safety then it really isn't a corporate issue at all. I am just
as concerned about the risk that an attacker would harm one of my
competitor's employees as one of our own.

Look at what you have just written and ask yourself if describing putting
the lives of my co-workers above EBay's fraud rate as 'folding like a cheap
suit' is something that you would not yourself consider to be the statement
of a crank and a fanatic if someone else said it.


Those are the exact same rules that every bank has in the country: If
someone comes into the branch and claims to have a gun then you hand over
the money. It is actually a firing offense not to.

As I said, there are controls that can be put in place. I am not sure quite
how Eddy thinks that switch is going to help unless whoever is operating it
is outside the jurisdiction and has knowledge of the subpoena. And
particularly not now that he has told everyone about it.


However, given this remarkable commitment to the integrity of the SSL
certification process etc. whereby you think we should put our employees
lives on the line, I assume you believe the same should hold at Mozilla?

Equally, can I anticipate that Mozilla will be announcing immediate support
for hard fail on OCSP revocation checking?


It is really easy to take these extreme positions if you don't care about
the consequences. It is also quite easy to make a commitment to the absurd.

We are both personally invested in the wider political potential of the
Internet. In the case of the Web, I have been involved in that longer than
you have and I know that for a fact because that is why I moved to work on
the Web at CERN when it had 100 people.

If you want to develop technologies to enable freedom of thought and
expression then we can discuss that. But those are not discussions I hold
on public mailing lists.

[secgu...@yandex.com]

Quoting Phillip Hallam-Baker:

> If someone credibly threatens a member of CA staff with murder or jail
> rather than issue a certificate then they are going to issue the
> certificate.
>

You are absolutely right. If a CA member is forced with a gun at his
head by authorities to misissue a certificate, he has to do it.
But the question remains, whether Mozilla can trust CAs seated in
jurisdictions where this type of "law enforcement" is legal - hopefully
this is not the case in "the land of the free".

[...]

> I am not prepared to put the lives of my staff or any other CA ahead of
> your ideological preening.
>

+1

But business interests of CAs (staying in the jurisdiction of legally
death threatening regimes) should not be put ahead of Mozilla users
interests either.


All the best.
sg

[Phillip Hallam-Baker]

Well whose country has a President, Vice President and Secretary of Defense
that dare not visit certain European countries due to the likelihood that
they would be arrested on torture charges? Which country still operates a
gulag in Cuba?

How many countries are we going to have left if we throw out the SCO
countries trying to suppress freedom of speech plus the ones that
participated in the CIA secret gulag program? I am sure that we can exclude
pretty much all the ones larger than Monaco without much effort.

I am not a US citizen and I am more than familiar enough with my own
country's history to know that we were not always the good guys either.
Remember that we are building the WORLD WIDE Web, not just the Web for the
parts that are already more or less not completely terrible.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

[Eddy Nigg]

On 04/05/2013 05:14 PM, From Phillip Hallam-Baker:

> If someone credibly threatens a member of CA staff with murder or jail
> rather than issue a certificate then they are going to issue the
> certificate.

Well, such a staff member would have to have the privileges to that in
first place. And probably not every staff member can be threatened at
all due to controls in place.

If the CA would be subject to such threats or orders it still has
several options including legal actions, changing jurisdiction - or
close the CA or whatever.

[Phillip Hallam-Baker]

You are preaching to the choir on multi-party controls. But they are not
infallible.

It would be entirely reasonable for Mozilla to insist on such controls.
Requiring me to ask my potential employees if they would rather die than
issue a bogus certificate seems rather ridiculous. Which candidate am I
meant to pick?

I would much rather we treat any such case if we ever come to it rather
than spin pointless hypotheticals in which other people are supposed to put
their lives on the line to defend some ideological principle.

On Fri, Apr 5, 2013 at 4:40 PM, Eddy Nigg <eddy...@startcom.org> wrote:

> On 04/05/2013 05:14 PM, From Phillip Hallam-Baker:
>

> If someone credibly threatens a member of CA staff with murder or jail
>> rather than issue a certificate then they are going to issue the
>> certificate.
>>
>

> Well, such a staff member would have to have the privileges to that in
> first place. And probably not every staff member can be threatened at all
> due to controls in place.
>
> If the CA would be subject to such threats or orders it still has several
> options including legal actions, changing jurisdiction - or close the CA or
> whatever.
>
>

> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: star...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>

> ______________________________**_________________
> dev-security-policy mailing list
> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>

> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>



--
Website: http://hallambaker.com/

[secgu...@yandex.com]

Quoting Phillip Hallam-Baker:

> Well whose country has a President, Vice President and Secretary of Defense
> that dare not visit certain European countries due to the likelihood that
> they would be arrested on torture charges? Which country still operates a
> gulag in Cuba?
>
> How many countries are we going to have left if we throw out the SCO
> countries trying to suppress freedom of speech plus the ones that
> participated in the CIA secret gulag program? I am sure that we can exclude
> pretty much all the ones larger than Monaco without much effort.

That might be all true. But for Mozilla Policy compliance the three
questions to be answered with "No" for countries jurisdiction should be:

1. Have they legally forced a resisting CA to misissue certificates in
the past (without being held accountable by courts)?

2. Is there evidence that authorities are legally allowed to do so in
the future?

3. In the case of future "unlawful enforcement" of misissues, are the
chances low that the "enforcer" will be sucessfully brought to justice
and the forced ones (CA and/or the guy with the gun at his head, ...)
get compensations?


Quoting a part of Phillip Hallam-Bakers yesterdays mail

"I am not aware of a precedent for a court forcing a third party to
knowingly issue a fraudulent instrument to enable lawful intercept. Nor
am I aware of an act that would authorize law enforcement to make such a
demand."

i assume that question 1. and perhaps 2. can be answered with "no" -
even for the "land of the free".
Regarding 2. and 3. there is probably ongoing legal advice for each
jurisdiction with a trusted CA needed.

> I am not a US citizen and I am more than familiar enough with my own
> country's history to know that we were not always the good guys either.
> Remember that we are building the WORLD WIDE Web, not just the Web for the
> parts that are already more or less not completely terrible.

Well, but Mozilla sets the "trustbits" for its users worldwild equally.
If Mozilla tolerates "lawful intercept" by country A with a trusted CA's
"help", how can a user in country B, where this kind of foreign "law
enforcement" is criminal espionage, trust his "secure" internet connections?

[...]

All the best.
sg

[Jan Schejbal]

Am 2013-04-05 16:14, schrieb Phillip Hallam-Baker:
> If someone credibly threatens a member of CA staff with murder or jail
> rather than issue a certificate then they are going to issue the
> certificate.

In case the CA operates in a jurisdiction where this is likely to happen
and the CA is unable to counter this threat (e.g. by having suitable
duress procedures), i.e. it is likely that the CA will misissue, IMHO
the CA is not trustable and thus unsuitable for inclusion in Mozilla.
"Has already happened" can be an indicator that it is likely to happen
again, especially for government extortion.

Again, the only criterion for inclusion should be, IMHO, "do we consider
the probability that the key will be used to sign false certificates low
enough", with all other criteria like audit requirements only outlining
criteria for thinking that the key will not misissue. Whether the
certificate is false because someone stole the private key from Achmed's
unencrypted thumb drive that he left on his desk or because someone held
a gun to someones head doesn't matter in the end for whoever was MitM-ed
by that certificate.

This does not mean the threatened person has to heroically refuse and
get shot for the security of SSL/TLS. It does, however, mean that the CA
may be distrusted if something like this happens.


However, I also think that the entire "gun to head" discussion is a red
herring and that unless faced with serious consequences for doing so
(aka root removal) many CAs would be willing to cave to far lesser
threats than threats of personal harm to individuals. I am talking about
financial or other legal harm to the CA as a company. Which is a much
more likely scenario in most western countries.


We did not remove every CA that got breached, because noone can be 100%
safe against it. We do not need to remove a CA where someone got a gun
held to their head and then issued a fake cert. We should, however,
remove any CA where we expect a breach to happen (again), and we should
remove any CA where we expect a gun-to-head scenario to happen (again).
And we should DEFINITELY remove any CA that is willing to comply with
requests for LI certs even if there are no threats against the personal
safety of personnel.

[Eddy Nigg]

On 04/06/2013 12:12 AM, From Phillip Hallam-Baker:

> You are preaching to the choir on multi-party controls. But they are
> not infallible.

Haven't said that - but who really has the power to override all
technical and physical controls? I assume just a few if at all depending
on the size of the company.

> It would be entirely reasonable for Mozilla to insist on such
> controls. Requiring me to ask my potential employees if they would
> rather die than issue a bogus certificate seems rather ridiculous.
> Which candidate am I meant to pick?

Are you seriously believing that anybody is going to die for a
certificate? C'mon! Lets stay reasonable - the reality is much, much
different that your imaginable wild west scenario.

> I would much rather we treat any such case if we ever come to it
> rather than spin pointless hypotheticals in which other people are
> supposed to put their lives on the line to defend some ideological
> principle.

I suspect you would probably fold much earlier before your life is even
threatened :-)


Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: star...@startcom.org <xmpp:star...@startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>

[Zack Weinberg]

I apologize for not answering this question for ages. The conversation
has moved on, but I think it still deserves an answer.

When I say "there is a direct conflict of interest between being in the
CA business and being in the lawful intercept business", I mean to
assert *only* that an organization that attempts to do both at the same
time has goals that are internally inconsistent. I make no judgement
about the "goodness" or "rightness" of *either* business. It might
*seem* that I am asserting "lawful intercept bad" because "lawful
intercept in conflict with CA", but that only follows if you presuppose
"CA good". CAs are presently *necessary* to the functioning of the web,
but they could still be "bad" in an absolute sense. (Indeed, if you
believe "lawful intercept good (in at least some circumstances)", as
many people do, then you logically *must* believe "CA bad (in those
circumstances)"!)

As to why I think there is a conflict of interest, it's really quite
simple. If you're in the CA business, you are in the business of
assuring at least one party to a secure channel that they are talking to
the counterparty they think they are talking to, and no one can listen
in. But if you are in the lawful-intercept business, you are in the
business of arranging to crack open those secure channels (covertly, and
by whatever means come to hand). To do both things at the same time is
to take both "authenticity" and "not authenticity" as fundamental goals,
and these are in conflict. (I use the word "authenticity" here in the
cryptographic-theoretic sense.)

PHB's message downthread about how being in both businesses at the same
time is *so wonderful* for both Verisign and its customers is a nice
illustration of the ethical corrosiveness of conflicting fundamental
goals. I can't think of a better Exhibit A for my point.

zw

please do not cc: me on replies

[Gervase Markham]

On 29/04/13 21:13, Zack Weinberg wrote:
> I apologize for not answering this question for ages. The conversation
> has moved on, but I think it still deserves an answer.

Thanks for providing this; it's very helpful.

> As to why I think there is a conflict of interest, it's really quite
> simple. If you're in the CA business, you are in the business of
> assuring at least one party to a secure channel that they are talking to
> the counterparty they think they are talking to, and no one can listen
> in. But if you are in the lawful-intercept business, you are in the
> business of arranging to crack open those secure channels (covertly, and
> by whatever means come to hand). To do both things at the same time is
> to take both "authenticity" and "not authenticity" as fundamental goals,
> and these are in conflict. (I use the word "authenticity" here in the
> cryptographic-theoretic sense.)

I think this nails it. We do not have to make judgements about the
rightness or wrongness of lawful intercept in any particular case in
order to assert that there is a conflict of interest between being the
party who tries to ensure secure communication, and the party who tries
to ensure observable communication when requested.

Gerv