Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

146 views
Skip to first unread message

Wayne Thayer

unread,
Mar 19, 2018, 6:27:11 PM3/19/18
to mozilla-dev-security-policy
A few months ago, we discussed our root inclusion criteria [1], and came to
a conclusion that I summarized and proposed in policy as follows:

I would like to thank everyone for your constructive input on this topic.
> At the outset I stated a desire to ‘establish some objective criteria that
> can be measured and applied fairly’. While some suggestions have been made,
> no clear set of criteria has emerged. At the same time, we’ve heard the
> argument that our time would be better spent on raising the bar for all CAs
> in the program, regardless of their subjective value to typical users of
> our products.
>
> Some thought was also given to applying unique technical criteria to new
> CAs, such as limiting certificate lifetime to 90 days or requiring ACME
> support. It was pointed out, however, that this favors incumbents and
> doesn’t drive improvement in the overall ecosystem.
>
> The conclusion from this discussion is that we will not attempt to restrict
> organizations from participating in the Mozilla CA program based on a
> judgement of their value to our users. We will continue to require
> applicants to demonstrate compliance with our policies, and reserve the
> right to deny membership to any CA at our discretion, e.g. because they
> have a documented pattern of misbehavior or we believe they intend to
> violate our policies.
>
> Here is a proposed update to the Mozilla Root Store Policy reflecting this
> decision:
>
> https://github.com/mozilla/pkipolicy/compare/master...
> inclusion-criteria?quick_pull=1
>

Having just reviewed this again, I recommend that we also remove the word
“typical” from section 2.1(1) of the policy that reads:

CAs whose certificates are included in Mozilla's root program MUST:
> 1. provide some service relevant to typical users of our software
> products;
>

This is: https://github.com/mozilla/pkipolicy/issues/118 and
https://github.com/mozilla/pkipolicy/issues/104

[1] https://groups.google.com/d/msg/mozilla.dev.security.
policy/GbXvh9ulboI/DWdJUc_cAQAJ

-------

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md

Ryan Sleevi

unread,
Mar 20, 2018, 11:22:41 AM3/20/18
to Wayne Thayer, mozilla-dev-security-policy
So, one aspect of this is the recently discussed risk - that is, a CA that
provides value for only 10 users presents a substantial amount of risk to
all Mozilla users, for both compromise and non-compliance. This is,
admittedly, a subjective evaluation - but then again, so is trust. I'm
curious whether the current "typical" language serves to establish a
baseline bar for assesing the risk - that is, a CA that issues only one
certificate a year, used by 100 Mozilla users, seems like a substantial
risk to all Mozilla users.

Wayne Thayer

unread,
Mar 20, 2018, 2:46:30 PM3/20/18
to Ryan Sleevi, mozilla-dev-security-policy
On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
> So, one aspect of this is the recently discussed risk - that is, a CA that
> provides value for only 10 users presents a substantial amount of risk to
> all Mozilla users, for both compromise and non-compliance. This is,
> admittedly, a subjective evaluation - but then again, so is trust. I'm
> curious whether the current "typical" language serves to establish a
> baseline bar for assesing the risk - that is, a CA that issues only one
> certificate a year, used by 100 Mozilla users, seems like a substantial
> risk to all Mozilla users.
>

Does the first sentence of section 7.1 address this concern? I proposed [1]
removing "benefits and" so that it reads:

7.1 Inclusions
>
> We will determine which CA certificates are included in Mozilla's root
> program based on the risks of such inclusion to typical users of our
> products.
>
In other words, the proposed change to section 2.1(1) does not exclude
roots that fail to meet the "relevant to typical users" bar, but section
7.1 supports us in making decisions based on the risk to a typical user.

- Wayne

[1]
https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249800f40b0e7c00d0816ab77e7#diff-e516d71031639460d171d9f4d04a005b

Ryan Sleevi

unread,
Mar 20, 2018, 5:23:57 PM3/20/18
to Wayne Thayer, Ryan Sleevi, mozilla-dev-security-policy
Ah, good point. Yeah, I think that's a perfectly reasonable change.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

Wayne Thayer

unread,
Mar 23, 2018, 1:06:24 PM3/23/18
to Ryan Sleevi, mozilla-dev-security-policy
I've made the additional change proposed above to the 2.6 branch:
https://github.com/mozilla/pkipolicy/commit/13ce71ab3936e721236b8c9f8753f253fb7f3750
Reply all
Reply to author
Forward
0 new messages