On Sun, Mar 1, 2020 at 9:49 PM Matt Palmer via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> The BRs, in s4.9.1.1, say:
>
> > The CA SHALL revoke a Certificate within 24 hours if one or more of the
> > following occurs:
> >
> > [...]
> > 3. The CA obtains evidence that the Subscriber's Private Key
> > corresponding to the Public Key in the Certificate suffered a Key
> > Compromise
>
> I've come to have some concerns about this clause of the BRs, in that it
> seems very much up to the CA to decide what constitutes valid "evidence" of
> key compromise, and there doesn't appear to be anything (other than
> possible
> mdsp censure, after the fact) preventing a CA using "your evidence is
> insufficient" as a way of delaying revocation, potentially indefinitely.
That’s not quite correct. They also have to convince their auditor,
although whether or not you see that as a barrier depends.
However, I get the feeling that you don’t put much stock into incident
reports and browsers dim view of shenanigans. That might be worth expanding
upon, if you believe the incident reporting process is not adequately
protecting users or balancing tradeoffs.
>
> In my specific case, I've been providing a JWS[1] signed by the compromised
> private key, and CAs are telling me that they can't (or won't) work with a
> JWS, and thus no revocation is going to happen. Is this a reasonable
> response?
Honestly? Yes. And not just because JWS is trash (although it is; yes, I
have feelings), but broadly because the semantics of any given signature
format impact how reliable a proof of compromise is. The problem with using
JWS, PDF, or even something more bespoke, like Matt-Sig, is the general
risk of cross-protocol attacks, in which the same message might have
multiple interpretations depending on how it is processed.
PDF is perhaps a real-world example of this, in which appended data might
cause display mutations of the signed data. Another might PE signing, which
allows for the inclusion of unsigned data with a signed executable that can
be difficult for processing to distinguish.
There’s no reason to expect a CA to be prepared to support Arbitrary Format
Foo. While my distaste for the JOSE suite of boondoggles is deeply
entrenched, I do think there’s benefit in using common PDUs that CA tooling
already deals with. As discussed in the past, the CSR approach is not
without merit.
If it is a reasonable response, what properties are necessary to
> differentiate valid evidence from invalid? Is it appropriate for a CA to
> be
> able to unilaterally decide what constitutes valid evidence, and should
> they
> be able to change that decision at any time?
I appreciate the pursuit of a general rule here, which your questions seem
geared towards. The downside of over-prescriptivist approaches is that they
end up disadvantaging the reporter; the “minimum consistent bar” ends up
becoming a problematic barrier to overcome.
The short and simple answer is if you feel the CA has responded poorly,
sharing those details is the next step towards remedying it, and, if
possible, improving policy languages.
Relatedly, if a CA were to receive a key compromise notification which truly
> *doesn't* have sufficient evidence of compromise, but which at least has
> some degree of legitimacy (rather than "I haxxed teh keys to your CA,
> better
> pay me dogecoin!!!11!one!"), is there (or should there be) any onus on the
> CA to respond to that notification within a certain timeframe?
CAs are required to make a preliminary incident report available within 24
hours, including the “sod off your report is garbage”, as covered in 4.9.5.
The language is flexible in how CAs receive and process Problem Reports, in
part to allow CAs to adequately deal and the “the gubmint is spying on me
and my ex is working with mossad” nonsense reports that unfortunately most
security reporting mechanisms receive. At the same time, if there is belief
that there’s something unreasonable being imposed (such as requiring
Problem Reports be submitted only on a blood moon in the third half of the
Month of the Rabbit), well, then you’re exercising the right path here by
asking “What the heck?”
I ask this because I accidentally sent a couple of compromise notifications
> with an incorrect URL. While one notification got what appeared to be a
> human saying "we'll look into it" (which itself was sent more than 24 hours
> after I received the corresponding auto-ack), others have been greeted with
> complete radio silence (other than the auto-ack). This seems...
> sub-optimal.
Did you use the CPS documented problem reporting mechanism?