Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Let's temporarily stop adding new CAs to our trusted CA list

12 views
Skip to first unread message

Tom Lowenthal

unread,
Oct 10, 2011, 3:37:58 PM10/10/11
to dev-secur...@lists.mozilla.org
I second Brian's proposal.

We're having a tough enough time evaluating our current security
posture. It makes sense to complete our reflection on our current
authorization criteria before adding more roots. As far as I can tell,
there hasn't been any disagreement with this proposal so far.

-Tom


On 09/20/2011 03:40 PM, Brian Smith wrote:
> I propose that, effective immediately, we stop considering new CAs for inclusion into the root list, at least temporarily--for at least six weeks. I think we should use these next few weeks to reconsider our criteria, review roots we have already included, and possibly even remove roots that we've already included, based on any reconsidered criteria. I also think we need to reconsider the FIFO-ish nature of the inclusion process, and instead order the queue based on priority--using a metric that hasn't yet been established.
>
> Cheers,
> Brian

signature.asc

ianG

unread,
Oct 10, 2011, 5:23:20 PM10/10/11
to dev-secur...@lists.mozilla.org
On 11/10/11 06:37 AM, Tom Lowenthal wrote:
> I second Brian's proposal.
>
> We're having a tough enough time evaluating our current security
> posture. It makes sense to complete our reflection on our current
> authorization criteria before adding more roots. As far as I can tell,
> there hasn't been any disagreement with this proposal so far.

I disagree. CAs have a stupidly ridiculous time as it is, and to put a
stop on all additions just because we don't know what to do ... well
doesn't sound very professional.

The ones who are likely at fault are the oldtimers, this move punishes
the newcomers. They already get punished by a year's delay, during
which time by rights they could have done 2 audit cycles. Looking at
Brian's project, I'd say a year's worth of work there.

Kathleen Wilson

unread,
Oct 10, 2011, 6:03:19 PM10/10/11
to mozilla-dev-s...@lists.mozilla.org
On 10/10/11 2:23 PM, ianG wrote:
> On 11/10/11 06:37 AM, Tom Lowenthal wrote:
>> I second Brian's proposal.
>>
>> We're having a tough enough time evaluating our current security
>> posture. It makes sense to complete our reflection on our current
>> authorization criteria before adding more roots. As far as I can tell,
>> there hasn't been any disagreement with this proposal so far.
>
> I disagree. CAs have a stupidly ridiculous time as it is, and to put a
> stop on all additions just because we don't know what to do ... well
> doesn't sound very professional.
>
> The ones who are likely at fault are the oldtimers, this move punishes
> the newcomers. They already get punished by a year's delay, during which
> time by rights they could have done 2 audit cycles. Looking at Brian's
> project, I'd say a year's worth of work there.
>
>

I agree with Iang.

New CAs should be held to the same policies that are published in
Mozilla's CA Certificate Policy, and the practices that are documented
in our wiki pages (https://wiki.mozilla.org/CA).

When Mozilla's CA Certificate Policy is updated, then all of the CAs
with roots in NSS are given a certain amount of time to comply with the
changes.

If your evaluation of Mozilla's current security posture and your
reflection on the current authorization criteria are finding some
interesting things in Mozilla's CA Certificate Program that you would
like to change, then please post your proposals in this discussion forum.

Kathleen

PS: Note that I have already incorporated the action items from the CA
Communication into the root inclusion process, and in our wiki pages.
https://wiki.mozilla.org/CA:Information_checklist
0 new messages