Kathleen, Eddy, Jan,
All,
the motivation for "give all CAs a grace period" is based on the
assumption "there are several other CAs who are involved in the
corporate-environment-MITM-business".
The assumption might be right or wrong. We don't know yet.
If we immediately execute the punishment, everyone will (morally
rightful) expect that we repeat the punishment for any future CA being
detected, with immediate effect - for all MITM activities that are
currently still ongoing and that we will learn about in the future. (Who
knows how many employees of such environments already made a backup copy
of such a MITM certificate, can proof that the cert hasn't been revoked
and is still valid as of today, and are waiting to submit until after we
made such an ultimate decision, knowing that their submission causes
end-of-business for such CAs?)
We don't know yet how many CAs would have to be punished. What if we'd
have to punish a set of major CAs that has certified more than 50% of
the secure web? If this unfortunate assumption were true, wouldn't we
cause an immediate shutdown of a large percentage of the secure web and
create lots of chaos? This is the dilemma we are facing. Under the
assumption that such MITM uses are indeed limited to closed corporate
environments, this immediate chaos, and the amount of potential
economical harm caused, might be worse than the immediate benefit of
shutting down the corporate internal watching. (Under the assumption
that MITM is indeed limited to corporate environments, I'm willing to
change my opinion 180° on the first proof of MITM outside of a corporate
network made possible by one of the CAs in the Mozilla CA program.)
The use of MITM CA certs in corporate networks is an unethical practice
and we should stop it as quickly as we can.
I still believe it's a good idea to grant a short grace period for CAs
to learn about the new guaranteed punishment, because we clarify that
MITM subCA behaviour is always absolutely unacceptable, even in
controlled corporate environments, and give them an opportunity to act
accordingly and stop it immediately.
I originally bought the argument that 2-3 months are a necessary period
of time to allow for transitioning.
However, I very much like Jan Schejbal's new argument:
> a) They do not need to roll this out immediately, they just need to
> stop doing MitM attacks until they managed to roll it out
> b) They only need to roll out to clients to be MitM-ed, i.e. not all
> WiFi APs etc.
I agree with Jan's argument that the internal "MITM needs" of corporate
environments aren't sufficient reason to allow for a long transition
period. I agree the transitioning argument shouldn't play a role when
making a decision for the length of the grace period. If a corporation
depends on MITM practices involving trusted public CAs (instead of the
cleaner solution of using a private CA), it's the coporation's problem
that they will temporarily be unable to watch all employee's traffic, it
doesn't matter for the public web community.
I still believe we need to give CAs a chance to investigate their list
of issued subCA and make decisions for themselves, which subCAs they are
willing to continue to trust (because they are 100% sure they have
strong control) and which subCAs are "too risky" from now on, because an
abuse performed by a customer could mean the immediate end of a major
part of their CA business.
Maybe one month should indeed be a sufficient amount of time for CAs to
make such assessment for their set of issued subCAs.
If, during this period of time, at least one more CA goes public,
consequently revokes such MITM subCAs certificates, and promises to not
do it again, then we have done something good for the security of the
web. I agree with the argument made earlier, this scenario is better
than having several large CAs decide that complete secrecy is the only
chance left to save their business.
However, I would like to make everyone aware of an additional potential
outcome.
After the grace period, what if we learn that Trustwave was actually the
only CA that participated in the corporate MITM business?
Maybe we will learn that no other CA has the need to come clean?
Maybe all the other CAs in the Mozilla root program decide they have
nothing to hide, and are not worried by the threat "Mozilla will remove
you from the Mozilla CA program if we discover any of your subCAs is
used by anyone for MITM practices"?
In my opinion, if this should happen, if we learn at the end of the
grace period that Trustwave was actually the only CA involved in the
corporate MITM business, because no other CA made use of the offer to
come clean, because all CAs accept the rule "MITM detected and you're
out", then we will still have the right to remove TrustWave, and under
such circumstances we should probably do so.
Kai
--
Sending me encrypted e-mail:
- get my S/MIME cert from
https://kuix.de/smime-keyserver/
- get my GPG/PGP key from
http://pgp.uni-mainz.de/