>What is the goal of the root program? Should there be a higher bar for
>removing CAs than adding them? Does trust increase or decrease over time?
Another thing I'd like to bring up is the absolute silence of the CAB forum
over all this. Apple have quietly unilaterally distrusted, Mozilla have
debated at length (three months now) and are taking action, but the regulatory
body that should be taking charge, the CAB forum, has (apparently) taken
absolutely no action.
Does anyone know the position among other browser vendors, Chrome, IE, Opera,
Konqueror, Chromium, Midori, the dozen or more forks of various bigger
browsers, the dozens(?) of mobile browsers, and so on.
Peter.
I haven't heard anything from them. If they've made any statements, they've
been very quiet about it.
>> Apple have quietly unilaterally distrusted, Mozilla have
>> debated at length (three months now) and are taking action,
>
>mid-August to mid-October is not three months.
August, September, October, seems like three to me.
>[blah blah blah nitpick nitpick nitpick]
Response, response, response, boring boring boring.
Any chance of answering my question? What's the CAB forum doing? What are
other browser vendors doing?
Peter.
>The CA/Browser Forum is not a regulatory body. They publish guidelines but
>do not set requirements nor regulate compliance.
It's a bit hard to describe its actual functioning, in theory they just
advise, but then so does ISO, IEEE, and others. They're not regulatory bodies
either, but when ISO or IEEE says X you do it.
>What action would you expect the Forum to be taking?
I would have expected some sort of coordinating action to provide a unified
response to the issue and corresponding unified, consistent behaviour among
the browsers, rather than the current lottery as to what a particular browser
(other than Apple and Mozilla's ones) will do when it encounters a WoSign
cert.
Then there's the bigger question that if the CAB can't do anything about a CA
going rogue (fraudulently issuing certs to evade restrictions), does that mean
the web PKI is just a free-for-all? Who's running the show if it's not the
CAB?
Peter.
>And that's not CABF's duty and responsibility. What the CABF can impose to
>CABF members is to follow the bylaws, the internal governance rules. By
>following them, all members write the guidelines and decide on what changes
>to adopt, and browsers then impose CAs to follow these guidelines.
Hmm, OK. I was just wondering why the CABF seemed to be missing in action,
since it appeared to be the logical place to address this sort of issue.
>What appears from the CABF meeting minutes is that the WoSign+StartCom+Qihoo
>combination is looked after, precisely regarding the bylaws.
Hmm, I'm not quite sure what you mean by that, but a quick check of the most
recently published minutes:
https://cabforum.org/2016/09/15/2016-09-15-minutes/
https://cabforum.org/2016/09/29/2016-09-29-minutes/
indicate that not much has happened, there's just a brief comment about
whether { WoSign, Startcom, Qihoo 360 } should be treated as one entity or
three. I assume that's the bylaw issue?
So there really is no-one running the show, meaning no coordinating body that
can say "bad things are happening over here, you need to take action to deal
with them"? It just seems odd that the next time a CA goes rogue, every end
user on the planet has to wait for whatever browser vendor they rely on to
make some arbitrary decision on what to do, or as it seems for many vendors in
the case of WoSign, do nothing. The only one who's openly addressed this
seems to be Mozilla.
Peter.
>There were comments admonishing StartCom and WoSign for not reporting change
>of ownership in a timely manner.
>
>I am not sure if this has been reported earlier, but if not, then Qihoo 360
>change of ownership may be relevant to the current discussion:
>
>http://www.prnewswire.com/news-releases/qihoo-360-announces-completion-of-merger-300299435.html
If I've followed this complicated trail of breadcrumbs correctly, since Qihoo
360 is now "a wholly owned subsidiary of Midco" where Midco is True Thrive
Limited, then True Thrive is a subsidiary of Greenland Hong Kong Holdings
Limited:
http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=252817367
which is a subsidiary of Greenland Group:
http://www.greenlandhk.com/pages/en/intro.html
which is the Chinese government (as a state-owned enterprise).
Peter.
>I think you found the "wrong" True Thrive Limited.
Ah, thanks.
>This appears to just be a name collision. Naming is hard :(
Actually if you think that's tough, try figuring out who the real Midco is...
Peter.
>As we observed the large scale MITM against iCloud, Outlook, Google and
>Github carried out on the backbone router with self-signed certs, and that
>the browsers are explicitly loads self-signed certs, I think it's clear that
>browsers in China are compelled by the gov to enable insecure cryptography by
>default.
Is that really the government compelling them, or just the browser vendors
deciding to enable a free market and/or remove dependency on non-Chinese CAs?
If the browsers secretly trusted some government-run CA that'd be a different
matter, but I'm not sure whether simply chosing to trust self-signed certs is
a genuine smoking gun...
Peter.