cacert.org
Manuzhai
Even with the danger of opening a can of worms here, I wonder what the
status on inclusion of the cacert.org root cert is. The bug [1] has very
interesting and lively discussion over a span of, oh, 30 months, and on
the status page [2] it says that the CAcert inclusion is Pending, while
most other inclusions that haven't been approved seem to say Processing.
What does CAcert need to do to get from Pending to Processing? The audit
doesn't seem like the necessary step, as there are other CA's mentioned
as Processing which don't have an audit.
Regards,
Manuzhai (not affiliated to cacert, other than being a member)
Manuzhai
Sorry, here are [1] and [2]:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=215243
[2] http://www.hecker.org/mozilla/ca-certificate-list
Frank Hecker
> Even with the danger of opening a can of worms here, I wonder what the
> status on inclusion of the cacert.org root cert is. The bug [1] has very
> interesting and lively discussion over a span of, oh, 30 months, and on
> the status page [2] it says that the CAcert inclusion is Pending, while
> most other inclusions that haven't been approved seem to say Processing.
> What does CAcert need to do to get from Pending to Processing? The audit
> doesn't seem like the necessary step, as there are other CA's mentioned
> as Processing which don't have an audit.
The "pending" vs. "processing" distinction is confusing and not really
necessary; also, "processing" didn't have anything to do with having an
audit or not. I can't remember why I made this distinction, and I'll
probably just change all the status indicators to use "pending", and
eliminate the use of "processing".
Regarding CAcert.org, the basic situation is that, like all CAs, it has
to go through some sort of audit or audit-like process. If you want to
know what they're currently doing with regard to that requirement, I
suggest contacting CAcert directly; I don't want to speak for them.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Kyle Hamilton
poster /and/ the list.)
---------- Forwarded message ----------
From: Kyle Hamilton <aero...@gmail.com>
Date: Feb 15, 2006 6:24 PM
Subject: Re: cacert.org
To: Frank Hecker <hec...@mozillafoundation.org>
As I recall, cacert.org was planning to be audited by one of the
Mozilla guys directly. I don't know who, and I don't know when, but I
kinda recall some discussion of this.
-Kyle H
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
Nelson B Bolyard
> (I /hate/ that I have to click 'reply all' to reply to the original
> poster /and/ the list.)
What would you propose instead?
Having a Reply-To: header in each message that replies to the alias?
or ?
/Nelson (List owner/moderator)
Nelson B
> Kyle Hamilton wrote:
>
>>(I /hate/ that I have to click 'reply all' to reply to the original
>>poster /and/ the list.)
>
> What would you propose instead?
> Having a Reply-To: header in each message that replies to the alias?
> or ?
The particular MailMan list management software we're using gives me
rather few choices in the way of message header munging. I can
1. Insert a prefix in the subject line, e.g.
Subject: [dev-tech-crypto] Re: list replies?
^^^^^^^^^^^^^^^^^ inserted
2. Replace the email address(es) in From: Sender: and Reply-To: headers
with the address of the list itself, anonymizing the messages.
(seems undesirable).
3. Make these other Reply-To header choices:
a) leave it alone (as the poster created it) [now configured this way.]
b) strip it out completely
c) replace its contents with a constant string, e.g. with name of list.
If there is consensus that a change to these setting is desired, I'm willing.
Please discuss it in this list, not in private email to me. Thanks.
--
Nelson B (list owner & moderator)
Gervase Markham
> As I recall, cacert.org was planning to be audited by one of the
> Mozilla guys directly. I don't know who, and I don't know when, but I
> kinda recall some discussion of this.
I remember hearing someone say this, but when I asked, the name given
wasn't anyone I'd ever heard of. I forget who it was.
And I don't know what Frank would say, but I'm not sure that a review
from a single unqualified individual could meet the "WebTrust or
equivalent" standard in the CA cert policy.
Gerv
Kyle Hamilton
What qualifications would be necessary? (Considering that auditors
are supposed to be extremely skilled at finding things that are out of
place... Webtrust uses CPA auditors. I don't know if most CPAs would
have enough knowledge to be able to properly audit a CA.)
How would one establish the possession of the qualifications?
What sort of liability bond would have to be posted? (Would there
/be/ any liability?)
These are just a couple thoughts that I have, and since I'm not a
member of the Mozilla Foundation I haven't got the faintest clue what
the answers might be.
-Kyle H
Nelson B
> Kyle Hamilton wrote:
>
>>As I recall, cacert.org was planning to be audited by one of the
>>Mozilla guys directly. I don't know who, and I don't know when, but I
>>kinda recall some discussion of this.
>
> I remember hearing someone say this, but when I asked, the name given
> wasn't anyone I'd ever heard of. I forget who it was.
I believe it was Mr. David E. Ross http://www.rossde.com/
He used to be a regular in this newsgroup/alias, but the last time
I saw a message from him was Feb 10 2004. :-(
> And I don't know what Frank would say, but I'm not sure that a review
> from a single unqualified individual could meet the "WebTrust or
> equivalent" standard in the CA cert policy.
In news://news.mozilla.org:119/mailman.1103829962....@mozilla.org
IanG wrote (quoting Frank):
>> I should also note that the "third party" could in fact be myself or other
>> volunteers participating in the Mozilla project, so I'm preserving that
>> option as well; the only requirement is that the third party be independent
>> from the CA itself.
>
> Luckily David Ross has posted his intention to do just that,
> so we have a concrete case to examine.
--
Nelson B
Frank Hecker
> I believe it was Mr. David E. Ross http://www.rossde.com/
> He used to be a regular in this newsgroup/alias, but the last time
> I saw a message from him was Feb 10 2004. :-(
As I understand it, David got conscripted to serve on a grand jury. I
believe he is still serving on it, more than a year later :-(
Frank Hecker
> And I don't know what Frank would say, but I'm not sure that a review
> from a single unqualified individual could meet the "WebTrust or
> equivalent" standard in the CA cert policy.
The Mozilla CA certificate policy doesn't say anything about "WebTrust
or equivalent". What it does say is that
* CA conformance must be attested to by "a competent independent party
or parties with access to details of the CA's internal operations";
* a "competent party" can be someone "for whom there is sufficient
public information available to determine that the party is competent to
judge the CA's conformance to the stated criteria", based on the party's
"knowledge of CA-related technical issues such as public key
cryptography and related standards; experience in performing
security-related audits, evaluations, or risk analyses; and honesty and
objectivity"; and
* an "independent party" can be someone "who is not affiliated with the
CA as an employee or director" and "is not financially compensated by
the CA".
If a CA were to propose someone who was not an actual professional
auditor authorized to do WebTrust or other formal audits, then that
person (or persons) would have to meet the requirements above, the CA
and/or would have to publish information regarding the person's
qualifications, and we could then debate within this group or in other
contexts (e.g., a relevant Bugzilla bug) whether the person was actually
qualified based on the information available.
Frank Hecker
> If a CA were to propose someone who was not an actual professional
> auditor authorized to do WebTrust or other formal audits, then that
> person (or persons) would have to meet the requirements above, the CA
> and/or would have to publish information regarding the person's
> qualifications,
That should read "the CA and/or the person would have to publish".
David E. Ross
> Nelson B wrote:
>> I believe it was Mr. David E. Ross http://www.rossde.com/
>> He used to be a regular in this newsgroup/alias, but the last time
>> I saw a message from him was Feb 10 2004. :-(
>
> As I understand it, David got conscripted to serve on a grand jury. I
> believe he is still serving on it, more than a year later :-(
>
> Frank
It's not yet a year. Grand Jury service is July through June, so I been
on the Jury for almost eight months and still have four months. On top
of that, I am being solicited to serve an additional year.
I turned my materials over to Philipp Gühring of CACert, who indicated
he had other volunteers to perform the review.
--
David E. Ross
<http://www.rossde.com/>
Concerned about someone (e.g., Pres. Bush) snooping
into your E-mail? Use PGP.
See my <http://www.rossde.com/PGP/>
Manuzhai
> a) leave it alone (as the poster created it) [now configured this way.]
> b) strip it out completely
> c) replace its contents with a constant string, e.g. with name of list.
There is a good summary of the debate "What to do with Reply-To" here:
http://producingoss.com/html-chunk/mailing-lists.html#reply-to
I usually like it when the Reply-To gets munged (although I usually
prefer newsgroup interfaces anyway, so I don't care that much).
Regards,
Manuzhai
Kyle Hamilton
> * an "independent party" can be someone "who is not affiliated with the
> CA as an employee or director" and "is not financially compensated by
> the CA".
I would sincerely hope that the direct and indirect costs of
performing the audit (including travel expenses and labor) would be
borne by the CA. If that could be modified to say "is not financially
compensated by the CA in any fashion other than direct and indirect
costs associated with the audit", that would be more appropriate (in
my opinion).
WebTrust certification forces the subject of the audit to pay for the
auditing costs.
-Kyle H
Frank Hecker
> I would sincerely hope that the direct and indirect costs of
> performing the audit (including travel expenses and labor) would be
> borne by the CA.
My fault, I didn't quote the full policy:
By "independent party" we mean a person or other entity who is not
affiliated with the CA as an employee or director and for whom at
least one of the following statements is true:
* the party is not financially compensated by the CA;
* the nature and amount of the party's financial compensation by
the CA is publicly disclosed; or
* the party is bound by law, government regulation, and/or a
professional code of ethics to render an honest and objective
judgement regarding the CA."
So CAs are in fact free to pay people.
Kyle Hamilton
How would one go about becoming certified as such an independent
auditor? I'd like to apply for such Mozilla Foundation certification.
-Kyle Hamilton
On 2/17/06, Frank Hecker <hec...@mozillafoundation.org> wrote:
Kyle Hamilton
http://www.hecker.org/mozilla/ca-certificate-list :)
-Kyle H
Frank Hecker
> As an aside to Frank: You need to change the newsgroup name on
> http://www.hecker.org/mozilla/ca-certificate-list :)
Done. (Thanks for catching that!)
Frank Hecker
> Ah, okie.
>
> How would one go about becoming certified as such an independent
> auditor? I'd like to apply for such Mozilla Foundation certification.
I didn't envision this as being something that a person would just do as
an independent activity, with the Foundation in essence "certifying"
people to do this sort of work. It's more something that would be done
in the context of a particular CA and its application for inclusion, and
then only if a) the CA weren't doing a formal WebTrust audit (or similar
formal audit done by an authorized auditor), and b) the CA were willing
to grant the person in question the necessary access to its internal
operations. Thus far the only CA that's fit criterion (a) has been
CAcert, and they're still figuring out who they want to help them.
Kyle Hamilton
>
> I didn't envision this as being something that a person would just do as
> an independent activity, with the Foundation in essence "certifying"
> people to do this sort of work. It's more something that would be done
> in the context of a particular CA and its application for inclusion, and
> then only if a) the CA weren't doing a formal WebTrust audit (or similar
> formal audit done by an authorized auditor), and b) the CA were willing
> to grant the person in question the necessary access to its internal
> operations. Thus far the only CA that's fit criterion (a) has been
> CAcert, and they're still figuring out who they want to help them.
I figure that it'd be easier (for a CA) to deal with someone whose
knowledge of cryptography and auditing procedures has already been
tested and whose background has already been checked, when selecting
someone to grant the necessary access to internal operations. This
would provide a "jumpstart" on the process, as it would offer the
possibility to eliminate the necessary wrangling over the "who to do
it" decision.
I'm also asking this because I'd like to know what kinds of testing
procedures (for the proposed auditor) are going to need to be
required. For example, I know more than I really care to think about
about identity certification and CA operation, though I'm not as
familiar with auditing. (From what I have seen, there isn't enough
data obtained/retained by CAcert to be able to audit, but they seem to
be undergoing some kind of internal deficiency
determination/resolution, and I'd like to volunteer to assist them
with at the very least the deficiency determination process.)
Which brings up another point: If (as a volunteer) I assist CAcert in
determining what records need to be kept for auditing purposes as well
as help them write up their CPS (using only publicly available
information, and no access other than email to the people who run the
CA), would I become ineligible under the Mozilla Foundation's rules to
actually perform the audit? Their draft CPS states that an audit may
be performed by anyone other than an officer or Director of the
incorporated entity, but I'd like some kind of clarification on what
'independent' really means to MoFo.
Also, what is the deliverable of the audit? A report, or a report and
a recommendation for or against inclusion, or what? (I would suggest
merely a report, and let MoFo deal with the results. That way,
there's a separation of privilege -- the auditor observes, the
Foundation acts.)
-Kyle H
Arshad Noor
a Jurat? There are some advantages to doing so for the CA operator, as
well as for the MF.
To those unfamiliar with the term, a Jurat is any document, where the
signer swears to the veracity of its contents, signs the document in
front of a licensed Notary Public (NP) and has the NP sign & stamp the
document. (While this is true of most states in the US, I can only
speak for California).
Once the Jurat is signed by the NP, it is a legal document. Any signer
who knowingly signs the document while swearing to false information in
it, has committed a felony per California law. The Relying Party (MF in
this case) now has a hold on the signer that goes beyond even a WebTrust
audit - the threat of sending the signer to jail if the Jurat has false
information in it.
Advantages to the CA opertor?
1) They don't need to divulge details of the operation to anyone
outside the company;
2) They know their PKI better than anyone else, and can perform
the audit rapidly;
3) There is no audit cost other than the time spent writing the
self audit and the NP's fee (less than US $25 if you go to the
NP's office);
Advantages to MF?
1) A legal document that carries the weight of civil law behind it
(and the threat of jail to offenders);
2) No need to authorize auditors if CA operators are willing to
perform self-audits and submit the documentation in the form of
a Jurat;
3) With a slightly modified architecture to Mozilla, it could even
lead to some interesting revenue opportunities for MF, allowing
it to fund future development and some vexing security problems
on the Internet.
Arshad Noor
StrongAuth, Inc.
David E. Ross
There are some problems with this concept.
A jurat executed outside of the U.S. by a CA (certificate authority)
operating entirely outside of the U.S. might not be enforceable in U.S.
courts. It might not be enforceable to the extent indicated above in
the courts where the CA operates by a U.S. plaintiff; instead, there
might be only civil penalties for falsely swearing a jurat and no
criminal penalty.
A CA is expected to operate in a manner that does not injure the public.
Providing a criminal remedy against a rougue CA gives little
satisfaction to those suffering financial loss if they cannot recover
the money. A CA that falsely swears a jurat to have its root
certificate included in a browser so that fraud or other crimes can then
be committed will likely leave little to be found for restitution.
In the end, the issue is trust. The public is asked to trust the CA and
the subscriber certificates the CA signs. The first two advantages
listed for the CA above do not inspire trust. Trust is created by the
public exposure of the details of how the CA operates; this is required
by the WebTrust audit criteria. Further, trust is enhanced if a third
party looks at the CA operations because (as I learned during my career
as an independent software test engineer) the "owner" of a process,
system, or enterprise too often is blind to defects.
By the way, in California, falsely executing a declaration being
notarized is the crime of perjury. Perjury is a crime that stands
alone, neither a felony nor a misdemeanor. The penalty is that of a
minor felony, 2-4 years in a state prison. (However, I once heard that
perjury in a capital crime -- where the person falsely convicted is
executed -- is itself a captial crime.) A notary who actively helps
someone else commit perjury has committed a felony.
Arshad Noor
which the MF would add a CA's root to the browser. There will need to
be contract terms to which the CA and MF would agree, and to which the
jurat would be added as an attachment. Such a contract would be the
recourse for recovery of damages, if any, from the CA operator. The
jurat adds the weight of personal responsibility on the part of the
signer.
I also did not mean to imply that the MF should not perform audits;
they are still necessary. However, they may not be necessary in every
case - only when warranted through complaints by RP's. To my mind, an
officer/manager of a CA operator is putting a lot more at risk when they
sign a jurat, than just a contract that does not hold them personally
accountable if the operator deviates from the CP. In fact, self-
preservation is more likely to ensure that they bring violations to the
attention of MF even if others in the company are attempting to cover
them up.
The self-audit template could be a format that is designed to elicit
sufficient information that the MF feels is necessary to engender trust;
so the self-audit will not necessarily be opaque.
Finally, I stand partially corrected on the statement that lying on a
jurat is a felony; it is in the matters of real-estate, but a perjury
otherwise. Section 115.5 (b) of the Penal Code (Notary Public Handbook
at http://www.ss.ca.gov/business/notary/notary_2005hdbk_1stpg.htm) says:
"Every person who makes a false sworn statement to a notary public,
with knowledge that the statement is false, to induce the notary public
to perform an improper notarial act on an instrument or document
affecting title to, or placing an encumbrance on, real property
consisting of a single-family residence containing not more than four
dwelling units is guilty of a felony."
Arshad Noor
StrongAuth, Inc.
Tristor
> there are other CA's mentioned as Processing which don't have an audit.
>
I don't personally see a problem with requiring a third-party audit of
the CA. In fact, I think that's a good thing. I do, however, think
that there should be a review of all certificates/CAs currently included
in Firefox/Thunderbird to ensure that they have all undergone a
third-party audit of some kind (WebTrust or otherwise). And after all
the stuff that has happened, I wouldn't even be opposed to pulling the
Verisign root cert out of Mozilla products until they can provide
publicly accessible and third-party confirmed/audited proof that they
have changed whatever went wrong that caused the issues.
I can't provide documentation proving my capabilities, otherwise I
would be more than willing to do an audit on CACert. I have an
understanding of PKI, how CAs work, and cryptology, but since I can't
provide proof of it, I'm out of it as far as the requirements given by
Frank are concerned. As Kyle asked, I would be interested in seeing
some sort of Mozilla Foundation sanctioned "certification" that lets me
know if I meet their qualifications. If I talk to the CACert folks and
they did let me do the audit, but then I didn't meet the qualifications,
all would be for nought and its a waste of time on CACert and my part.
--
Tyler "Tristor" Duzan