From: Erwann Abalea Sent: Tuesday, July 7, 2015 4:24 PM Subject: Re: Letter from US House of Representatives |
-------- Original message --------
From: Peter Kurrasch <fhw...@gmail.com>
Date: 10/07/2015 21:57 (GMT+02:00)
To: mozilla-dev-s...@lists.mozilla.org
Subject: EU Trust-lists (was: Letter from US House of Representatives)
This is an interesting topic. Setting aside politics and technical considerations and instead focusing on just security implications I'd like to share the following thoughts. I admit readily that I have not done much research on this topic so I hope people will make corrections or otherwise let me know if I'm missing important information.
* I don't think calling it a Trust List is appropriate and perhaps is better called "I Hope We Can Trust This" List. Or perhaps call it a "Mandatory Recognition of Authority" List. I didn't come across anything that leads me to conclude that this list is any more trustworthy than other list I might generate, sign, and distribute.
* Perhaps unintentionally (and in a counter-intuitive sense) this legislation increases the attack surface that a bad actor might use. I took only a brief look at the list that Erwann pointed us to below and it seemed to me there are new authorities that are not already included in the Mozilla trust store. This means that if I don't feel like attacking one of the trust store CAs, I know have a whole slew of other places to go after. Just how much damage I might cause was not immediately clear to me but that's almost secondary: the legislation could actually improve my chances of success as a bad actor.
* At the most basic level, it's not clear to me to whom this legislation is directed. Is it citizens within the EU? Users of any web sites hosted within the EU? People outside the EU who might wish to conduct business with other people and businesses who happen to be located within the EU? Note that in addition to being a basic question this also goes to my previous point about how much larger does the threat landscape (and potential for harm) become?
* One of the more fascinating ideas for me was actually paragraph 61 of the WHEREAS portion of the legislation: that electronic identities should be viable into the future. This opens up the possibility (again, perhaps unintentionally) that revocation of a person's certificate or other "signature materials" might need to be specifically addressed.
* That previous point leads to what I think might be a major gap in the legislation: policies and regulations for when an individual loses control of his or her electronic identity. We know this will happen and I think we have to assume that it will happen a lot. What are the implications to that, from the standpoint of the legislation and it's intended application? And any legal ramifications?
* Regarding Mozilla's support of any such lists, I think any proposal that requires a user to decide to accept/decline the list or an authority must be disqualified from further consideration. People make the wrong choices all the time so if you are dependent on a user making the right choice in order to establish/preserve a chain of trust it seems to me your chances of success are no better than a coin toss.
For me the bottom line in all this is that it seems the legislation is well intentioned but by creating a parallel universe of trust anchors outside of the existing PKI system (that has all the same issues and problems of the existing system) it actually does little to further the cause of making the internet safer and more trustworthy.
For whatever it's worth.
From: Erwann AbaleaSent: Tuesday, July 7, 2015 4:24 PMTo: mozilla-dev-s...@lists.mozilla.orgSubject: Re: Letter from US House of Representatives