(I guess we're all wearing our affiliations on our backs, but disclosure:
I'm a US federal government employee, but am not speaking on behalf of the
USG, and don't have any professional affiliation with the US FPKI run out
of the Treasury Department.)
On Fri, May 15, 2015 at 11:49 AM, Ryan Sleevi <
> On Fri, May 15, 2015 1:52 am, Gervase Markham wrote:
> > On 15/05/15 00:01, Ryan Sleevi wrote:
> > > I think there's also the broader consideration of whether Mozilla's
> > > policy
> > > interests are served by promoting borders on the Internet, which
> > > proposal certainly does, but the broader question invariably does.
> > > https://www.mozilla.org/en-US/about/manifesto/
, Items 2, 4, and 6 all
> > > seem relevant to the broader discussion of the implications of such a
> > > policy.
> > It would be helpful if you could expand upon this point, and the
> > relationship you see between those three principles and the proposal.
> 2) The Internet is a global public resource that must remain open and
> - By introducing a demarcation of power/privilege by "government" or not
> (which still suffers from the definitional issue that you've entirely
> danced around :P), it ostensibly undermines the notion of global (e.g. if
> you're required, by local jurisdiction, to only use CAs approved by
> Country A, then you can no longer apply for any arbitrary name but only
> those CAs approved by Country A can issue to)
> - By introduction restrictions on what government CAs can do, it creates a
> different standard of openness. That is, it presumes corporations are
> trustworthy and governments are not
It does not presume corporations are trustworthy and governments are not.
It does presume that governments are different in some way than
corporations, and that that difference, in the context of the CA system and
the root program, might merit name constraints.
The health of the CA system, and the root program that manages it in many
ways, relies on leverage, accountability, and market forces to keep it in a
stable place that supports a strong internet. We all acknowledge the CA
system, like the DNS system, is imperfect and not fully centralized. It's
not all math -- it relies on human factors and institutional incentives.
Governments are not subject to the same kind of leverage, accountability or
market forces that corporations are. The legal constraints they operate
under are different, your likelihood of prevailing in a legal action
against them is different (and highly subject to the government in
question), and their business practices and incentives are going to be very
In other words, you cannot expect a government CA to respond to the same
kinds of forces, either market pressure or deliberate browser/community
pressure, that a commercial CA would. This distinguishes those kinds of CAs
in a way that does *not* require to you to rest on the vague or general
idea that governments are less trustworthy than corporations.
Another factor is _why_ the government CA is applying to the trusted root
program. If the government CA only intends to issue certs for its own
properties, and its properties can reasonably be concluded to fall under a
clear name jurisdiction, then name constraints don't actually "constrain"
their business model. This avoids "slippery slope" concerns that might lead
to constraining a commercial CA against their will.
If a government CA is applying in order to provide certificates for its
country's corporations or citizens, that's a more complicated issue.
Treating ccTLDs (e.g. .in) as actually geographically bound, for the
purpose of a CA system, seems brittle and very much something that
*advances* the idea of the internet as geographically bound.
By contrast, to constrain a government to its own properties (e.g. .gov.in
or .gov) doesn't advance a geographic boundary, but an organizational
The idea of constraining a government CA (like India or the US) to its own
properties is, to my mind, very different than constraining a corporation
(like Google or Microsoft) to its own properties. We, the browsers and
standards bodies of the internet and the people of the earth, have very
different leverage over abuses by a corporation than by a government.
> (this is your first question, which is
> implicitly answered in the positive in any discussion pro-constraint), and
> corporations can openly participate while governments cannot.
As described above, this is not always correct. In the case of a government
asking for admittance to the root program for the intent of issuing trusted
certs for its own organization, the government is not asking to "openly
participate" in the first place. They are asking to participate with a
closed set of domains, and name constraints can function to enforce that
Some people may also feel they are appropriate for corporate CAs who intend
to issue for themselves, but that's not what I'm arguing here, nor do I
feel there is risk of a slippery slope.
4) Individuals' security and privacy on the Internet are fundamental and
> must not be treated as optional.
> - In the pro-constraint case, which again arguably answers the first
> question you pose by saying "Yes, there is a difference", it introduces
> the beginnings of technical control to introduce borders on the Internet,
> by (effectively) restricting what domains individuals can purchase, and
> further encouraging a centralization of names that are in government
> control. Using my previous message as an example, I may choose to purchase
> resources from China and the US under the assumption that they will not
> mutually aid eachother in compromising me, even if they may both
> independently attempt to.
This argument only applies to scenarios in which the public (in any
country) is restricted in some way from the domains they can issue. When
constraining a government CA to issue in a namespace like .gov.in
, or .gov,
no one's market choices are limited.
In fact, such a name constraint in the root program would also *not*
require that government to prevent other commercial CAs to issue
certificates for a government suffix. (And, briefly offering my own work
perspective, as someone who configures .gov certificates from commercial
CAs, I would never desire this sort of limitation.)
In short, the public's market choices are unaffected, and the government's
own market choices for their own properties are only expanded.
6) The effectiveness of the Internet as a public resource depends on
> interoperability (protocols, data formats, content), innovation and
> decentralized participation worldwide.
That's absolutely correct. However, neither DNS nor the CA system are fully
decentralized. They each depend on political tradeoffs and a careful
evaluation of incentives -- the current IANA transition
> is an
excellent reminder of that.
> - Name-constraining CAs has the effect of centralizing protocols
> (vis-a-vis DNS)
I don't understand the phrasing here. The trusted root program is already a
centralized repository of data that constrains who can become a CA.
> - Name-constraining CAs has the effect of discouraging interoperability by
> introducing multiple semi-subjective criteria into the discussion of trust
> ("What is a Government CA", "What is a government TLD")
You're absolutely right that there's a judgment call involved in deciding
"what is a government CA". CNNIC comes to mind as a contested example.
However, in cases where there is no ambiguity about whether the CA is a
government CA -- for example, a CA operated by public sector money in an
internationally recognized country who describes themselves as a government
and who intends to issue for other unambiguously government entities --
there's not much of a subjective judgment call involved there.
I've at length answered your second question posted - which is whether it
> makes things better or worse - and demonstrated the many ways in which it
> can make things worse.
I believe you've described the ways in which name constraints can make
things worse *if* various other clearly definable things happen, such as:
commercial CAs being restrained, or a cert for a ccTLD only being issuable
by a particular CA, or a government CA being restrained against their will
from issuing certificates for non-governmental entities. I think we can
discuss name constraining government CAs without invoking these scenarios.
Holistically, your argument describes a slippery slope. I don't believe
slippery slope arguments are wrong, but if you can define an unambiguous
rationale and line for certain behavior, I think the slippery slope
argument can be clearly outweighed.
I mean, the definitional issues alone should show how subjective this is.
> For example, I note you didn't include under "potential government CAs" as
> LuxTrust ("Established in November 2005 through a partnership between the
> Luxembourg government and major private financial actors in Luxembourg"),
> or what the subtle implications are for Certinomis (which partners with La
> Poste to perform identity validation, which is the mail service of France,
> is definitionally an autonomous public enterprise since 1 January 1991,
> when it was split from DGP, but which arguably operates within the
> imprimatur of the French government)
> I posit these as simply two examples of many to indicate the very
> difficult challenges with separating 'operational capability'. However,
> would we argue that a CA is wholly independent if it was seeded by
> In-Q-Tel? Why or why not?
You describe complicated and ambiguous situations. The best answer to this
kind of ambiguity is to err on the side of No. Don't name constrain them,
and if no name constraints means the root program isn't willing to accept
them, then don't do it.
That's a separate issue. You're definitely correct when you point to
corporate CAs not being definitionally more "trustworthy" than government
CAs. It's a hostile world out there.
However, I do think that if a CA *can* be clearly defined as a "government
CA", and that government CA is interested in issuing for itself -- then,
because an unambiguous government CA operates under fundamentally
different legal and operational constraints than a commercial CA, name
constraints only expand opportunity and flexibility for all parties
I'll also say that in my opinion, an *unconstrained* government CA whose
operational mandate is only to issue for itself has a worse impact on the
quality of the trust store than an unconstrained commercial CA. Name
constraints seem the only appropriate way to admit a government CA to the
trust store who is only supposed to be in the business of issuing for
themselves. If name constraints aren't applied, I'd advocate for rejecting
that CA's application.
> There are so many more important things to spend our time on with regards
> to improving trust. Simply embracing and encouraging greater transparency
> (e.g. through Certificate Transparency) could go a long way in
> establishing an objective basis for discussions about trustworthiness, and
> the quality of audits, and the compliance and adherence to technical
> requirements, rather than gut speculation and the jingoistic
> sentimentality it inevitably invites.
Certificate transparency and public key pinning are fantastic technical
patches to the global CA system, and the CAB BRs and audit quality are
crucial human patches.
Name constraints are also a patch, and they provide a function not offered
by CT, PKP, BRs, or audits. When applied in a non-ambiguous, narrow way on
actors who clearly differ in the accountability and leverage that human
institutions can bring to bear on them, those name constraints make the CA
system and root program more flexible, not more brittle.
| @konklone <https://twitter.com/konklone