Process of including ca root in mozilla

[Anis]

root CA inclusion procedures are very long, so do not simplify them to encourage the certification culture.
for example give root the chance to be included for a period of one year during this time it is decided that it remains or not while respecting the norms course.
if in the course of this period the root ca will make an error it will be excluded in the next update or version of mozilla.
the first checks are carried out as usual but instead of consuming years we will fix for example 6 months.
at the end of these 6 months a vote will be made to decide.
Anis

[Ryan Sleevi]

What benefit does this provide, given the profound and lasting risk this
introduces?

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Anis]

we keep the checks and the audits according to cabf. We reduce the discussion time to 6 months. After the inclusion is set a period of one year of compliance testing. while controlling the certificates issued by this authority. we can exclude the root ca in the next versions.
you do not notice the heaviness of the procedure which now takes more than 2 years.

[Ryan Sleevi]

So it benefits the CA (potentially hostile CAs) to getting in quicker, but
at profound risk to users, even if the CA is removed.

If a CA takes more than 2 years to get included, it's almost always because
they're not actually keeping the checks, documentation, and audits.

[Anis]

for example there is some root not recognized by mozilla but recognized by microsoft after an Etsi or webtrust audits
why not put a single recognition platform for all this will save time

[Matt Palmer]

On Thu, Mar 08, 2018 at 12:42:13PM -0800, Anis via dev-security-policy wrote:
> why not put a single recognition platform for all this will save time

What did Microsoft and Apple say when you pitched this obviously very well
thought-out and detailed proposal to them? If you want a single platform,
all the existing players need to agree to it...

- Matt

[westm...@gmail.com]

It's bad that 70% of the root certificates in the discussion thread are certificates of governments that are not needed to anyone except these governments.

Andrew

[Jakob Bohm]

On 09/03/2018 05:28, westm...@gmail.com wrote:
> It's bad that 70% of the root certificates in the discussion thread are certificates of governments that are not needed to anyone except these governments.
>
> Andrew
>

And the citizens under those governments.

And anyone elsewhere checking out things in that country for any reason.

(how much depends how much of the stuff in that country uses it, for
example, some years ago, every citizen in Denmark could get a free(ish)
e-mail/client certificate under the TDC root, this was later taken over
by a banking services company that changed it into a two-factor login
with private keys on their server!).

But yes, country-specific CAs should be restricted to trust for entities
in that country only (domains under the country TLDs, subject DN country
code in that country etc.). And this should be technically enforced
even if the country-folk don't add that restriction themselves.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Ryan Sleevi]

On Thu, Mar 8, 2018 at 11:39 PM, Jakob Bohm via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> On 09/03/2018 05:28, westm...@gmail.com wrote:
>

> And the citizens under those governments.
>
> And anyone elsewhere checking out things in that country for any reason.
>
> (how much depends how much of the stuff in that country uses it, for
> example, some years ago, every citizen in Denmark could get a free(ish)
> e-mail/client certificate under the TDC root, this was later taken over
> by a banking services company that changed it into a two-factor login
> with private keys on their server!).
>
> But yes, country-specific CAs should be restricted to trust for entities
> in that country only (domains under the country TLDs, subject DN country
> code in that country etc.). And this should be technically enforced
> even if the country-folk don't add that restriction themselves.
>

The profound harm that would cause has already been discussed on this list
in the past, and is available in the archive.

Creating a fragmented Internet as proposed would harm, not help, global
interoperability and security.

[Anis]

Is a good idea to limited the ca root at first at code country or the TLD of this country like .tr for turkey or .fr for France
In second step this ca root put the new request for they other domain or code and this request take a profond and enforced check like 2 years of period.

[Anis]

Every year the ca root will gave the official annual audit to mozilla who prove the respect of norms. this audits made from a recognized auditors

[Anis]

the risk still exists. for example a root ca included in mozilla and generates nonconforming certificates. what to do???