Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

[Gervase Markham]

Section 7.1 of the policy says that we reserve the right not to include
certificates from a CA which has:

"knowingly issue certificates that appear to be intended for fraudulent
use."

There are a few problems with this.

* It's only in the inclusion section.
* It's really subjective - how could you prove a CA "knowingly" did this?

How can a CA tell a certificate "appears to be intended for fraudulent
use"? As bad actors don't set the "evil bit", the only way I can think
of that a CA might do this check is by looking at the domain name and
checking to see if it's anything like a "famous" brand. But Mozilla has
taken the position that we don't believe it's the responsibility of CAs
to police the domain name space.

We already have the power to chuck out misbehaving CAs, or not include
ones which are dodgy; we don't need this clause for that either.

So I propose removing it, and reformatting the section accordingly.

This is: https://github.com/mozilla/pkipolicy/issues/2

-------

This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates

[Ryan Sleevi]

+1 to what sounds like a perfectly reasonable position

[Matt Palmer]

On Thu, Apr 20, 2017 at 02:39:12PM +0100, Gervase Markham via dev-security-policy wrote:
> So I propose removing it, and reformatting the section accordingly.

Do eeeet. Do eeeet noooooooow!

(That's me strongly agreeing with the proposal, in case my faux-Ren accent
is impenetrable)

- Matt

[Eric Mill]

I strongly support removing any ambiguity about CAs not being required to
police certificate issuance, and agree on the unuseful level of
subjectivity that would be present in any attempt to enforce this clause.

-- Eric

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
konklone.com | @konklone <https://twitter.com/konklone>

[Gervase Markham]

On 20/04/17 14:39, Gervase Markham wrote:
> So I propose removing it, and reformatting the section accordingly.

Edit made as proposed.

Gerv

[Peter Kurrasch]

Gerv, does this leave the Mozilla policy with no position statement regarding fraud in the global PKI?


  Original Message  
From: Gervase Markham via dev-security-policy
Sent: Monday, May 1, 2017 3:36 AM
To: mozilla-dev-s...@lists.mozilla.org
Reply To: Gervase Markham
Subject: Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

On 20/04/17 14:39, Gervase Markham wrote:

> So I propose removing it, and reformatting the section accordingly.

Edit made as proposed.

Gerv

[Gervase Markham]

On 01/05/17 16:28, Peter Kurrasch wrote:
> Gerv, does this leave the Mozilla policy with no position statement regarding fraud in the global PKI?

What do you mean by "in"?

Gerv

[Peter Kurrasch]

I was thinking that fraud takes many forms generally speaking and that the PKI space is no different. Given that Mozilla (and everyone else) work very hard to preserve the integrity of the global PKI and that the PKI itself is an important tool to fighting fraud on the Internet, it seems to me like it would be a missed opportunity if the policy doc made no mention of fraud.

Some fraud scenarios that come to mind:

- false representation as a requestor

- payment for cert services using a stolen credit card number

- malfeasance on the part of the cert issuer

- requesting and obtaining certs for the furtherance of fraudulent activity

Regarding that last item, I understand there is much controversy over the prevention and remediation of that behavior but I would hope there is widespread agreement that it does at least exist.

From: Gervase Markham Sent: Monday, May 1, 2017 10:49 AM To: Peter Kurrasch; mozilla-dev-s...@lists.mozilla.org Subject: Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

On 01/05/17 16:28, Peter Kurrasch wrote:

> Gerv, does this leave the Mozilla policy with no position statement regarding fraud in the global PKI?

[Gervase Markham]

On 02/05/17 01:55, Peter Kurrasch wrote:
> I was thinking that fraud takes many forms generally speaking and that
> the PKI space is no different. Given that Mozilla (and everyone else)
> work very hard to preserve the integrity of the global PKI and that the
> PKI itself is an important tool to fighting fraud on the Internet, it
> seems to me like it would be a missed opportunity if the policy doc made
> no mention of fraud.
>
> Some fraud scenarios that come to mind:
>
> - false representation as a requestor
> - payment for cert services using a stolen credit card number
> - malfeasance on the part of the cert issuer

Clearly, we have rules for vetting (in particular, EV) which try and
avoid such things happening. It's not like we are indifferent. But
stolen CC numbers, for example, are a factor for which each CA has to
put in place whatever measures they feel appropriate, just as any
business does. It's not really our concern.

> - requesting and obtaining certs for the furtherance of fraudulent activity
>
> Regarding that last item, I understand there is much controversy over
> the prevention and remediation of that behavior but I would hope there
> is widespread agreement that it does at least exist.

It exists, in the same way that cars are used for bank robbery getaways,
but the Highway Code doesn't mention bank robberies.

Gerv

[Jakob Bohm]

However a highway code may mention the authority of the highway police
to establish roadblocks and stop vehicles in relation to general
criminal issues. (But it is obviously not against any law for the
police to not establish roadblocks and vehicle searches for every bank
robbery ever committed, just as there is no requirements for CAs to
revoke certificates for every allegedly fraudulent use possible).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[袁剑波]

thanks


发自网易邮箱大师

[Peter Kurrasch]

Perhaps a different way to pose the questions here is whether Mozilla wants to place any expectations on the CA's regarding fraud and the prevention thereof. Expectations beyond what the BR's address, that is. Some examples:

‎- Minimal expectation, meaning just satisfy whatever the BR's say but beyond that Mozilla won't care(?)

- Passive involvement, meaning a CA is expected to do some investigation into fraudulent activity but only when prompted and even then, no action is necessarily expected

- Active involvement, meaning the CA has implemented policies and procedures that identify and act on situations that appear fraudulent

A question one might ask is "What is reasonable?" It is not reasonable for CA's to identify and prevent all cases of fraud so I wouldn't ask that. I wouldn't call CA's the anti-fraud police, either. What about the following:

- When a CA is notified that a stolen credit card was used to purchase certs, should the CA investigate the subscriber who used it and any other certs that were purchased (perhaps using a different CC) and take appropriate action?

- Is it reasonable for any subscriber to request more than 100 certs on a given day? What about 500? 1000? (The point is not to prohibit large requests but I would imagine there is a level which exceeds what anyone might consider a legitimate use case.)

- Is is reasonable for a single CA to issue over 150 certs containing "paypal" in the domain name? (I am referring to the analysis Vincent Lynch did back in March.) There are undoubtedly cases where including "paypal" in the name is or could be legitimate, but 150 a day, every day?

- Is it reasonable for a CA to issue a cert to the CIA for Yandex or to the Chinese government for Facebook, even if the requester does demonstrate "sufficient control" of the domain?

The point I wish to make is that situations will come up that go beyond anything in the BR's and that reasonable people might agree go ‎beyond a reasonable level of reasonableness. The question becomes what will Mozilla do as those situations arise? Can Mozilla envision possibly asking a CA "don't you think you should have limited <whatever>?"

From: Gervase Markham Sent: Tuesday, May 2, 2017 5:46 AM To: Peter Kurrasch; mozilla-dev-s...@lists.mozilla.org Subject: Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

On 02/05/17 01:55, Peter Kurrasch wrote:

> I was thinking that fraud takes many forms generally speaking and that
> the PKI space is no different. Given that Mozilla (and everyone else)
> work very hard to preserve the integrity of the global PKI and that the
> PKI itself is an important tool to fighting fraud on the Internet, it
> seems to me like it would be a missed opportunity if the policy doc made
> no mention of fraud.
>
> Some fraud scenarios that come to mind:
>
> - false representation as a requestor
> - payment for cert services using a stolen credit card number
> - malfeasance on the part of the cert issuer

Clearly, we have rules for vetting (in particular, EV) which try and
avoid such things happening. It's not like we are indifferent. But
stolen CC numbers, for example, are a factor for which each CA has to
put in place whatever measures they feel appropriate, just as any
business does. It's not really our concern.

> - requesting and obtaining certs for the furtherance of fraudulent activity
>
> Regarding that last item, I understand there is much controversy over
> the prevention and remediation of that behavior but I would hope there
> is widespread agreement that it does at least exist.

[Gervase Markham]

On 03/05/17 16:45, Peter Kurrasch wrote:
> Perhaps a different way to pose the questions here is whether Mozilla
> wants to place any expectations on the CA's regarding fraud and the
> prevention thereof.

You need to be more specific, because there are lots of different ways a
system can have "fraud" and our attitude to different ones might be
different. We are not the police.

> - When a CA is notified that a stolen credit card was used to purchase
> certs, should the CA investigate the subscriber who used it and any
> other certs that were purchased (perhaps using a different CC) and take
> appropriate action?

I'd say this is none of our business, unless the certs are mis-issued.

> - Is it reasonable for any subscriber to request more than 100 certs on
> a given day? What about 500? 1000? (The point is not to prohibit large
> requests but I would imagine there is a level which exceeds what anyone
> might consider a legitimate use case.)

I suspect some CAs will tell you that they have customers such as cloud
providers who require a very large number of certs per day. And this
also seems to be entirely outside our interest.

> - Is is reasonable for a single CA to issue over 150 certs containing
> "paypal" in the domain name? (I am referring to the analysis Vincent
> Lynch did back in March.) There are undoubtedly cases where including
> "paypal" in the name is or could be legitimate, but 150 a day, every day?

If we have decided that CAs are not "name cops", then I don't want to
reintroduce an expectation that they are by the back door.

> - Is it reasonable for a CA to issue a cert to the CIA for Yandex or to
> the Chinese government for Facebook, even if the requester does
> demonstrate "sufficient control" of the domain?

I suspect that if the Chinese government were attempting to get a cert
for Facebook mis-issued to themselves, they would not identify
themselves as the Chinese government. We care about the above as a
mis-issuance, just like any other.

Gerv

[Jakob Bohm]

On 03/05/2017 17:45, Peter Kurrasch wrote:
> Perhaps a different way to pose the questions here is whether Mozilla
> wants to place any expectations on the CA's regarding fraud and the
> prevention thereof. Expectations beyond what the BR's address, that is.
> Some examples:
>
> ‎- Minimal expectation, meaning just satisfy whatever the BR's say but
> beyond that Mozilla won't care(?)
>
> - Passive involvement, meaning a CA is expected to do some investigation
> into fraudulent activity but only when prompted and even then, no action
> is necessarily expected
>
> - Active involvement, meaning the CA has implemented policies and
> procedures that identify and act on situations that appear fraudulent
>
>
> A question one might ask is "What is reasonable?" It is not reasonable
> for CA's to identify and prevent all cases of fraud so I wouldn't ask
> that. I wouldn't call CA's the anti-fraud police, either. What about the
> following:
>
> - When a CA is notified that a stolen credit card was used to purchase
> certs, should the CA investigate the subscriber who used it and any
> other certs that were purchased (perhaps using a different CC) and take
> appropriate action?
>

Generally, that is entirely an economic matter between the CA, the
subscriber and the credit card clearing house used by the CA. Most CAs
would probably revoke certificates if they suffer a chargeback,
regardless if the CC was stolen or not.

There are common best security practices that frequently prevent CAs
from actually knowing the CC numbers used by subscribers to purchase
certificates.

> - Is it reasonable for any subscriber to request more than 100 certs on
> a given day? What about 500? 1000? (The point is not to prohibit large
> requests but I would imagine there is a level which exceeds what anyone
> might consider a legitimate use case.)

Mass orders from someone who hasn't placed such orders before should be
subject to extra scrutiny as to what is going on (e.g. did we just win
a major legitimate customer from the competition?, is this a new CDN /
hosting provider with overnight success?, is there some other good
reason?). But this may or may not be an area that Mozilla or the BRs
should set a policy for.

>
> - Is is reasonable for a single CA to issue over 150 certs containing
> "paypal" in the domain name? (I am referring to the analysis Vincent
> Lynch did back in March.) There are undoubtedly cases where including
> "paypal" in the name is or could be legitimate, but 150 a day, every day?
>

I believe this falls under the existing "High Risk Certificate
Requests" BR.

> - Is it reasonable for a CA to issue a cert to the CIA for Yandex or to
> the Chinese government for Facebook, even if the requester does
> demonstrate "sufficient control" of the domain?
>

Ditto.

>
> The point I wish to make is that situations will come up that go beyond
> anything in the BR's and that reasonable people might agree go ‎beyond a
> reasonable level of reasonableness. The question becomes what will
> Mozilla do as those situations arise? Can Mozilla envision possibly
> asking a CA "don't you think you should have limited <whatever>?"
>
>

Here is something that might be added to Mozilla Policy in lieu of
being a BR:

The criteria used by a CA to identify "High Risk Certificate Requests"
as defined by BR 1.6.1 and referenced in BR 4.2.1 shall, at a minimum
include at least, but not only, the following:

- All of the items enumerated in the BR definition of "High Risk
Certificate Request" in BR 1.6.1, even though they may be optional in
the current BRs.
- The Alexa top 1000 unique base domain names, (e.g. if www.mozilla.com
and www.mozilla.org are both in the Alexa top list, they count as only
1 when counting towards the 1000).
- The Following core Internet operational base domain names: iana,
ietf, rfc-editor, internic, icann, example, invalid, root-servers,
gtld-servers, arpa.
- The primary base domain names of all CAB/F members (including mozilla
and google).
- The base domain names of all domains operated or "owned" by the CA
itself.
- The following names that tend to indicate high value subdomain
hierarchies: gov, com, org, co, ac.
- Anything containing the substring "bank".
- Any IDN domain names whose rendering using any of the well known
standard fonts: "Times Roman", "Courier", "Helvetica", "Arial" is
visually very close to any string of ASCII-only graphical characters.
(It is noted, that this criteria can generally be checked by
compiling a list of UNICODE code points and sequences thereof having
this property on their own, then flagging any IDN name containing only
ASCII plus such sequences).
- Any all-ASCII domain name containing the characters ("1", "L", "i"),
("0", or "o") when a different entity controls the existing domain
formed by interchanging those with others from the same of the two
subsets.
For example, an application for the domain exampie.com is high risk
from an entity other than the entity controlling exampLe.com. And
vice versa.

Note that "High Risk Certificate Requests" can still be fulfilled,
they just require extra checks of their legitimacy, as per BR 4.2.1.



> *From: *Gervase Markham
> *Sent: *Tuesday, May 2, 2017 5:46 AM
> *To: *Peter Kurrasch; mozilla-dev-s...@lists.mozilla.org
> *Subject: *Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

>
>
> On 02/05/17 01:55, Peter Kurrasch wrote:
>> I was thinking that fraud takes many forms generally speaking and that
>> the PKI space is no different. Given that Mozilla (and everyone else)
>> work very hard to preserve the integrity of the global PKI and that the
>> PKI itself is an important tool to fighting fraud on the Internet, it
>> seems to me like it would be a missed opportunity if the policy doc made
>> no mention of fraud.
>>
>> Some fraud scenarios that come to mind:
>>
>> - false representation as a requestor
>> - payment for cert services using a stolen credit card number
>> - malfeasance on the part of the cert issuer
>
> Clearly, we have rules for vetting (in particular, EV) which try and
> avoid such things happening. It's not like we are indifferent. But
> stolen CC numbers, for example, are a factor for which each CA has to
> put in place whatever measures they feel appropriate, just as any
> business does. It's not really our concern.
>
>> - requesting and obtaining certs for the furtherance of fraudulent
> activity
>>
>> Regarding that last item, I understand there is much controversy over
>> the prevention and remediation of that behavior but I would hope there
>> is widespread agreement that it does at least exist.
>
> It exists, in the same way that cars are used for bank robbery getaways,
> but the Highway Code doesn't mention bank robberies.
>