The goal of this proposed change is specifically to prevent this. Either stop chaining to a trusted root, or fully disclose the information. Or both. But, not neither.
> In response to the recent CA Communication I received audit reports
> for many of these in-premise enterprise sub-CAs, but these documents
> are considered to be confidential.
By whom are they considered confidential? We (Mozilla) should not be agreeing to non-disclosure of this information. In fact, I was expecting that we will publish all of this information publicly and/or share it with others that will publish it.
> I see your point about a CA-performed audit not being defined. I don't
> yet have an answer for this, other than it would obviously have to
> included periodic review of the issued certificates and network
> security reports.
We already have standards for auditing. These sub-CAs must adhere to the auditing requirements for CAs we already have. No CA is considered to be an acceptable auditor. (Or, in other words, there must not be any distinction between root and sub-CA as far as our policy is concerned.)
- Brian
By "account for" you mean "not require disclosure"?
> https://wiki.mozilla.org/CA:SubordinateCA_checklist
>
> 1) sub-CAs that can be technically constrained
I obviously vote for disclosure, but some people have argued against it.
> 2) Third-party public subordinate CAs that act as Certificate Service
> Providers (CSPs)
Should be audited through normal mechanisms and disclosed. What
argument is there against this?
Really, they should probably be required to go through the root approval
process themselves (ie: SubCAs would be essentially prohibited), given
that we all seem to agree that the current audit regime is insufficient
(hence the additional Moz requirements). But, as an interim measure
perhaps we should allow them to exist as long as they are audited and
disclosed.
> 3) Third-party private (or enterprise) subordinate CAs
And I have yet to hear any argument against disclosure other than "they
don't want to."
> I see the direction that you want Mozilla's CA Certificate program to go
> in the future, but it's not something you can instantly change. We need
> to keep taking steps in the right direction, but it will take time to
> get to the end goal.
Of course, but what's reasonable in the short term? Let's hear the
arguments for why audit and disclosure are not reasonable.
>>> I see your point about a CA-performed audit not being defined. I don't
>>> yet have an answer for this, other than it would obviously have to
>>> included periodic review of the issued certificates and network
>>> security reports.
To address the above question about the sub-CA audit, as performed by
the CA as an "internal audit" or other variations:
*Subsidiary audits are already incorporated into the audit process* :
the auditor opines over the whole, and writes his report to incorporate
any subsidiary audits, /however they are done/ . The auditor uses
something called the audit risk model to evaluate all the info brought
to her, and an internal audit or an SAS70 or similar done over an
external sub-CA is just more grist for the mill (more info into the
calculations).
In other words, it's already there. If the auditor is unhappy with the
results, exclusions will appear in the report. E.g., from memory, there
were exclusions in Thawte's audit of a couple of years back [0], and
also Comodo's before their first incident.
>> We already have standards for auditing. These sub-CAs must adhere to
>> the auditing requirements for CAs we already have.
Right.
>> No CA is considered to be an acceptable auditor.
I beg to differ -- if the lead auditor decides to lean on an internal
audit, as done by the CA or any other outsourced party, then so be it.
It's her opinion.
>> (Or, in other words, there must not be any distinction between root
>> and sub-CA as far as our policy is concerned.)
>>
>
> Fair enough. However, there has not ever been official policy
> requiring that the "third-party private (or enterprise) subordinate
> CAs" be externally audited.
I demur!
9. We consider the criteria for CA operations published
in any of the following documents to be acceptable.....
There is no exclusion in there. Everything is covered. It makes no
difference if there is outsourcing, insourcing or hotchillisaucing ...
it's covered.
iang
[0] CAcert used to rely on Thawte certificates for their "notaries".
However when I went back and read the Thawte audit of the time, there
was a specific exclusion: the Thawte notaries weren't audited at all.
Long and short of it is that CAcert went through a painful process to
drop reliance on those certificates. Shortly after that audit (while I
was forcing CAcert to deal with the absence of any reliable info) Thawte
shut down the notary network.
Which is all by way of saying: the system is there, and it works .. at
least sometimes :)
1. Where is it stated that auditors must include subsidiary "audits"?
2. Why would SAS 70 or something be an appropriate audit tool, vs a
WebTrust/ETSI/etc audit that's required of root CAs?
WebTrust doesn't mention auditing or reviewing audits of SubCAs.
WebTrust assumes no review of cross-signed entities.
WebTrust explicitly exempts any review of RAs.
So it seems clear that subsidiary audits are not necessarily already
incorporated into the audit process.
The don't have to. They choose whether to.
> 2. Why would SAS 70 or something be an appropriate audit tool, vs a
> WebTrust/ETSI/etc audit that's required of root CAs?
It's what is available. If an SAS70 is available on a company that has
a sub-CA, well, it's evidence for the model. If it doesn't work, then
more work to be done. An SAS70 has the benefit that the american market
understands them well.
> WebTrust doesn't mention auditing or reviewing audits of SubCAs.
> WebTrust assumes no review of cross-signed entities.
> WebTrust explicitly exempts any review of RAs.
Yup. One wonders what they were thinking when they wrote that last
exemption...
> So it seems clear that subsidiary audits are not necessarily already
> incorporated into the audit process.
Yes, correct. Not necessarily, but the auditor uses what he can.
To some extent, an SAS70 is designed to be shared in this way. (OK, I
don't know a lot about SAS70s...)
Where this becomes more interesting is that the CA should put in place
an internal auditing regime over the sub-CAs or remote RAs. This should
then be reviewed by the auditor, with intent to rely. Then, comments
fly back and forth, some changes are made, and hopefully it works out.
So in this sense, the lead auditor reviews the audit process of the
internal auditor over the subs, not the subs themselves.
iang
....and we can stop here.
The auditor isn't required or even asked to even "opine" over
subsidiaries, and there is no accountability if they don't. The
statement that "Subsidiary audits are already incorporated into the
audit process" is not true.
Why would an auditor do a bunch of extra work on something that they're
not even responsible for?
The solution is not to try to create some step-removed audit by bringing
this within the ambit of the auditor by requiring them to consider the
process of the internal "auditor" (should such an entity exist) but
rather to treat all CAs the same... whether they chain through a root or
whether they are seeking root status.
We've discussed this before and reached a compromise that the sub-CA
could be technically constrained, and the technical constraints would be
documented in the CA's CP/CPS, and therefore included in the audit.
>> 2) Third-party public subordinate CAs that act as Certificate Service
>> Providers (CSPs)
>
> Should be audited through normal mechanisms and disclosed. What argument
> is there against this?
>
There is no argument in this case. Such sub-CAs should have public
CP/CPS and audit statements, and be disclosed by the CA.
> Really, they should probably be required to go through the root approval
> process themselves (ie: SubCAs would be essentially prohibited), given
> that we all seem to agree that the current audit regime is insufficient
> (hence the additional Moz requirements). But, as an interim measure
> perhaps we should allow them to exist as long as they are audited and
> disclosed.
>
We do review them during the root inclusion process.
https://wiki.mozilla.org/CA:SubordinateCA_checklist
The information is listed in the information gathering documents and
attached to the CA's root inclusion request bug.
>> 3) Third-party private (or enterprise) subordinate CAs
>
> And I have yet to hear any argument against disclosure other than "they
> don't want to."
>
Since it is for internal use only, the enterprise considers their
CP/CPS/audit to be proprietary information. For instance, consider a
bank who has a certificate issuance program for their employees. Banks
tend to be very cautious about the information that they post publicly
regarding security.
CAs consider their relationship with these enterprise customers to be
proprietary information. There's the obvious concern that other CAs
would directly market their large enterprise customers. There's also
confidentiality agreements between CAs and their large enterprise
customers -- for instance the bank who considers even the relationship
to be sensitive information about their security infrastructure.
>> I see the direction that you want Mozilla's CA Certificate program to go
>> in the future, but it's not something you can instantly change. We need
>> to keep taking steps in the right direction, but it will take time to
>> get to the end goal.
>
> Of course, but what's reasonable in the short term? Let's hear the
> arguments for why audit and disclosure are not reasonable.
As per other discussions, there is a need to have technical solutions in
place to make it easier for these enterprise customers to not need to
chain up to roots in NSS.
For example: https://bugzilla.mozilla.org/show_bug.cgi?id=692248
When there is reasonable technical support in place for in-premise
enterprise customers, then I agree we should re-look at updating
Mozilla's CA Certificate Policy.
However for the large in-premise enterprise customers I think there will
continue to be the need for interoperability with their customers and
business partners. But, perhaps over time good technical solutions will
be implemented that will also solve this need.
Kathleen
He isn't asked or required to opine over much of the mechanics at all,
except as per the criteria; it's a high level thing where typically the
formula is "the documentation published by the CA is an accurate
representation of the operations."
Whether there is outsourcing or other mechanical componentry is a matter
of detail.
> and there is no accountability if they don't.
If the CA has subsidiaries, and the auditor doesn't consider them, then
he has failed. This is why the audit reports often include explicit
exclusions, so that you as relying party can know the limitations.
E.g., here is a comment from one CA's current filed audit:
"For the [CA's personal email service], [CA] makes use of external
registration authorities for the specific subscriber registration
activities as disclosed in the [CA's] CPS on [CA's] website. Our
examination did not extend to the controls of external registration
authorities."
and earlier, it said "Subscriber information was properly authenticated
for the registration activities performed by [the CA] and..."
So it's pretty clear.
> The statement that "Subsidiary audits are already incorporated into
> the audit process" is not true.
No, it is included in the *process of audit* not every particular
audit. Which is to say, the methodology that audits are conducted under
includes this possibility. It is routine for an auditor to rely on the
work of another auditor, if appropriate.
> Why would an auditor do a bunch of extra work on something that
> they're not even responsible for?
>
> The solution is not to try to create some step-removed audit by
> bringing this within the ambit of the auditor by requiring them to
> consider the process of the internal "auditor" (should such an entity
> exist) but rather to treat all CAs the same... whether they chain
> through a root or whether they are seeking root status.
Yes, the auditor is required to treat the whole thing, to a reasonable
standardised degree. There is no artificial barrier created just
because a company outsources some component to another company. If that
outsourced component is critical to the operations, then it must be
covered; either by an exception in the report as above, or by being
examined to the extent needed.
No auditor worth his salt is going to leave out the other company just
because it is a company.
iang
Right. I didn't prefer that solution, but given the resistance to
disclosure, it seemed like a viable compromise. It was a compromise
that applied to *all* types of SubCAs, but you appear to wish to
reconsider this compromise, so it's on the table again.
So far, Brian and I have made good arguments for audit and disclosure.
The argument against this seems to continue to be, "they don't want to."
Technically, all SubCAs can be considered to be those "that can be
technically constrained" because such mechanisms exist today. I think
that the distinctions below are superfluous in light of this, but let's
proceed to the analysis.
>>> 2) Third-party public subordinate CAs that act as Certificate Service
>>> Providers (CSPs)
>>
>> Should be audited through normal mechanisms and disclosed. What argument
>> is there against this?
>>
>
> There is no argument in this case. Such sub-CAs should have public
> CP/CPS and audit statements, and be disclosed by the CA.
>
>
>> Really, they should probably be required to go through the root approval
>> process themselves (ie: SubCAs would be essentially prohibited), given
>> that we all seem to agree that the current audit regime is insufficient
>> (hence the additional Moz requirements). But, as an interim measure
>> perhaps we should allow them to exist as long as they are audited and
>> disclosed.
>>
>
> We do review them during the root inclusion process.
> https://wiki.mozilla.org/CA:SubordinateCA_checklist
>
> The information is listed in the information gathering documents and
> attached to the CA's root inclusion request bug.
Yes, I see that these are requested in the checklist (although the
checklist refers to the cert policy audit requirements by number, and
the numbers refer to an out-of-date version of the cert policy).
Can you point to a CA that has fulfilled these requirements?
>>> 3) Third-party private (or enterprise) subordinate CAs
>>
>> And I have yet to hear any argument against disclosure other than "they
>> don't want to."
>
> Since it is for internal use only, the enterprise considers their
> CP/CPS/audit to be proprietary information. For instance, consider a
> bank who has a certificate issuance program for their employees. Banks
> tend to be very cautious about the information that they post publicly
> regarding security.
>
> CAs consider their relationship with these enterprise customers to be
> proprietary information. There's the obvious concern that other CAs
> would directly market their large enterprise customers. There's also
> confidentiality agreements between CAs and their large enterprise
> customers -- for instance the bank who considers even the relationship
> to be sensitive information about their security infrastructure.
Right. Translation: "they don't want to."
It's not that they can't implement them, or that they can't find
solutions for keeping their so-called proprietary data private, it's
that they don't want to.
>>> I see the direction that you want Mozilla's CA Certificate program to go
>>> in the future, but it's not something you can instantly change. We need
>>> to keep taking steps in the right direction, but it will take time to
>>> get to the end goal.
>>
>> Of course, but what's reasonable in the short term? Let's hear the
>> arguments for why audit and disclosure are not reasonable.
>
> As per other discussions, there is a need to have technical solutions in
> place to make it easier for these enterprise customers to not need to
> chain up to roots in NSS.
> For example: https://bugzilla.mozilla.org/show_bug.cgi?id=692248
>
> When there is reasonable technical support in place for in-premise
> enterprise customers, then I agree we should re-look at updating
> Mozilla's CA Certificate Policy.
Enterprises *today* have several solutions (as I listed earlier). They
just don't want to go through the effort to adopt them.
> However for the large in-premise enterprise customers I think there will
> continue to be the need for interoperability with their customers and
> business partners. But, perhaps over time good technical solutions will
> be implemented that will also solve this need.
Conditioning Mozilla certificate policy on unknown future technical
enhancements is a recipe for another decade of security failures.
Another way of looking at this is that if you argue over what colour to make
the arbitrary line in the sand then you don't have to think about where and
why you're drawing the arbitrary line in the sand in the first place.
>> WebTrust doesn't mention auditing or reviewing audits of SubCAs.
>> WebTrust assumes no review of cross-signed entities.
>> WebTrust explicitly exempts any review of RAs.
>
>One wonders what they were thinking when they wrote that last exemption...
Oh, I know that one, it was "we can save ourselves a lot of work if we exclude
RAs (and cross-signed CAs, and sub-CAs) and other stuff".
Where do I collect my biscuit?
Peter.
Right. Some liabilities are hard to mitigate. However, this isn't a
justification for ignoring them, or ignoring liabilities in general.
So, I think the answer is probably in two parts. Firstly, map those
liabilities. Second, deal with them [0].
> As we saw in the DigiNotar case, the removal from the root list can
> easily mean bankruptcy for the company, which is on the contrary a
> very clear penalty (and can also nullify any liability that is in place).
Right, stick not carrot. Or, punishment, not transfers.
But systems built on punishment do not work as well as systems built on
incentives. Because the only step available here is so ... terminal,
the result will be non-optimal, and we could probably show through
standard finance calculations that bankruptcy as the only punishment
results in an increase in bad behaviour. At a minimum, there will be
over expenditure in one area, under expenditure in another, driven by
fear of removal.
> Maybe disclosure and active policing by the browsers and end-users is
> actually a more comprehensive approach?
As I indicated above, I'd see disclosure is a survivable or short-term
compromise or stepping stone.
But comprehensive? No chance. For one, disclosure creates excessive
attention to headline scandal and inattention to boring risks (c.f., SSL
and phishing, "5 ways to be secure this summer" in News of the World,
etc etc).
Also, although the open source community contends that disclosure is
good for security, I personally have never seen any empirical evidence
of that hypothesis. Yes, there's lots of noise about fixing bugs, but
little comparison of alternatives. E.g., there are some secret security
systems that are good, that serve us well.
Whereas, if a supplier was sued for phishing -- liabilities allocated --
I'm sure the priorities would change.
> But, as you say, this is repeating long discussions.
Yeah. But it'll be back. The problem hasn't gone away. Patience :)
iang
[0] Mitigation: eliminate the ones we can, accept the ones we can't.
More sophisticated is ESIEAP or Eliminate, substitute, isolate,
engineering controls, administrative controls, and protective gear.
1. CAs must disclose (to the public, so that the public can help notify
browsers of violations)
2. Browsers must enforce
Brian has mentioned his plan to implement intermediate enforcement
mechanisms against badly behaving CAs such that the "big stick" of root
removal is not the only option. I think that this is a great idea.
Steve
As for what the audit reports look like for CAs that grant SubCA certs:
https://www.globalsign.com/certificate-authority-root-signing/
https://cert.webtrust.org/SealFile?seal=928&file=pdf
"GlobalSign SA/NV makes uses of external registration authorities for
specific subscriber registration activities as disclosed in GlobalSign
SA/NV�s business practice disclosures. Our examination did not extend to
the control of external registration authorities."
"This report does not include any representation as to the quality of
GlobalSign SA/NV�s services beyond those covered by the WebTrust for
Certification Authorities Criteria..." [which does not include SubCAs]
GlobalSign's CP permits GlobalSign to do a one-time "PKI Infrastructure
review" of "Trusted Root" customers, which is described in 5 bullet points.
Steve
Just to summarise a threadlet with Steve & Kathleen: the above
question(s) is well understood in the profession of auditing. The lead
auditor simply reviews the internal (CA) audit process and decides
whether to rely on it or not. Internal audit, and the relationship
between it and external audit, is well understood in the biz-world.
As to whether it is sufficient -- that's the auditor's call. She is far
better placed to make that call. Indeed, she is expert. We (in
general) are not, and we have none of the information to make that call.
iang
See immediately preceeding post.
> Perhaps you can do some contortions to read an exclusion as an
> inclusion, but at the end of the day it's clear that auditors are not
> today required to look at the process/policy/practice of third-party
> entities that have been granted cert issuing authority.
We're talking at cross purposes here, perhaps.... It is them that make
that decision, not us. Us telling the auditors how to interpret the
third party entities would be like them telling us the difference
between object oriented programming and functional programming... They
have to cover it if it is relevant to the subject matter, how they cover
it is up to them.
(We could write a criteria instructing them ... but that doesn't change
how facile it would be.)
> As for what the audit reports look like for CAs that grant SubCA certs:
>
> https://www.globalsign.com/certificate-authority-root-signing/
>
> https://cert.webtrust.org/SealFile?seal=928&file=pdf
> "GlobalSign SA/NV makes uses of external registration authorities for
> specific subscriber registration activities as disclosed in GlobalSign
> SA/NV�s business practice disclosures. Our examination did not extend
> to the control of external registration authorities."
> "This report does not include any representation as to the quality of
> GlobalSign SA/NV�s services beyond those covered by the WebTrust for
> Certification Authorities Criteria..." [which does not include SubCAs]
OK, so it's quite common.
> GlobalSign's CP permits GlobalSign to do a one-time "PKI
> Infrastructure review" of "Trusted Root" customers, which is described
> in 5 bullet points.
Which, as it was in the CP, and as the Auditor reviewed those
disclosures, was therefore OK by the Auditor.
(Maybe he was wrong, maybe right. That's another issue.)
iang
The question is not whether we detail what a SubCA audit consists of
(although guidance might be in order), but whether we require them at
all. Clearly the current regime does not.
1. SubCAs are CAs with all the authority of root CAs
2. SubCAs are not audited the same as root CAs
3. There is a major loophole in the regime
I don't have any more to say on the matter. The above should be clear
to anyone following this thread, and I don't see much point in
continuing to talk past each other.
>>>> 2) Third-party public subordinate CAs that act as Certificate Service
>>>> Providers (CSPs)
>>>
>>> Should be audited through normal mechanisms and disclosed. What argument
>>> is there against this?
>>>
>>
>> There is no argument in this case. Such sub-CAs should have public
>> CP/CPS and audit statements, and be disclosed by the CA.
>>
>>
>>> Really, they should probably be required to go through the root approval
>>> process themselves (ie: SubCAs would be essentially prohibited), given
>>> that we all seem to agree that the current audit regime is insufficient
>>> (hence the additional Moz requirements). But, as an interim measure
>>> perhaps we should allow them to exist as long as they are audited and
>>> disclosed.
>>>
>>
>> We do review them during the root inclusion process.
>> https://wiki.mozilla.org/CA:SubordinateCA_checklist
>>
>> The information is listed in the information gathering documents and
>> attached to the CA's root inclusion request bug.
>
> Yes, I see that these are requested in the checklist (although the
> checklist refers to the cert policy audit requirements by number, and
> the numbers refer to an out-of-date version of the cert policy).
>
> Can you point to a CA that has fulfilled these requirements?
>
https://bugzilla.mozilla.org/show_bug.cgi?id=436056#c29
https://bugzilla.mozilla.org/attachment.cgi?id=407385
https://bugzilla.mozilla.org/show_bug.cgi?id=551399#c31
https://bugzilla.mozilla.org/show_bug.cgi?id=551399#c34
Fortunately there are very few root inclusion requests for roots that
have third-party public subordinate CAs. This type of root inclusion
request requires a lot of extra work on my part.
>>>> 3) Third-party private (or enterprise) subordinate CAs
>>>
>
> Conditioning Mozilla certificate policy on unknown future technical
> enhancements is a recipe for another decade of security failures.
Currently Mozilla's CA Certificate Policy does not mention
externally-operated subordinate CAs at all. In practice, we have been
addressing externally-operated subordinate CAs, but I would like to at
least get our current practices stated in the policy.
Our current practices were summarized by Frank Hecker here:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc#
and have been documented on our wiki pages here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist
While adding support for our practices regarding externally-operated
sub-CAs to Mozilla's CA Certificate Policy, I think we can also make
some minor (less contentious) improvements such as adding the proposed
text about technical constraints, and requiring that third-party public
subordinate CAs and their CP/CPS/audits be publicly disclosed.
However, the proposed change to require public disclosure of third-party
private (or enterprise) subordinate CAs is still too contentious.
Quote from Frank in 2010: "I'm willing to give CAs and their
<enterprise> customers a greater "presumption of innocence", and allow
them to continue the current practice of engaging in private business
transactions without disclosure of customer identities, as long as the
activities associated with those transactions are private in nature (as
they would be for third-party private CAs as defined above) and as long
as we have reasonable assurances that legal and audit frameworks are in
place to ensure that those activities don't impact typical Mozilla users
on the public Internet."
I have not seen any data indicating that these third-party private (or
enterprise) subordinate CAs are engaging in activities that impact
typical Mozilla users on the public Internet.
Kathleen
Nobody is contending that they should not be disclosed other than you.
You are citing some backchannel conversations with CAs, but how can we
evaluate those?
> Quote from Frank in 2010: "I'm willing to give CAs and their
> <enterprise> customers a greater "presumption of innocence", and allow
> them to continue the current practice of engaging in private business
> transactions without disclosure of customer identities, as long as the
> activities associated with those transactions are private in nature (as
> they would be for third-party private CAs as defined above) and as long
> as we have reasonable assurances that legal and audit frameworks are in
> place to ensure that those activities don't impact typical Mozilla users
> on the public Internet."
>
> I have not seen any data indicating that these third-party private (or
> enterprise) subordinate CAs are engaging in activities that impact
> typical Mozilla users on the public Internet.
Yes, I remember Frank's post, to which I replied:
"What I hear you saying is that there is no potential benefit to Mozilla
users, but if the trust is violated there is potential harm. If that's
the case, why wouldn't we want to curtail the practice of undisclosed
private Sub-CAs? It's all upside from the perspective of the users."
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc/0e8ef7ea5ceee714#5a209af015067cb4
And then the other folks on the thread agreed:
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc/0e8ef7ea5ceee714#6a3af87d8821e0b0
I like Frank, and he is a smart guy, but his word isn't law...
particularly his word from before the recent spate of exploits.
His statement also assumes "reasonable assurances that legal and audit
frameworks are in place..." which has been cast into doubt.
The "recent spate of exploits" did not involve any third-party private
(enterprise) sub-CAs.
>
> His statement also assumes "reasonable assurances that legal and audit
> frameworks are in place..." which has been cast into doubt.
What is new that has cast this in doubt?
Some reasons:
1) The representatives for some of these CAs have to get approval from
their employer before they can post a comment in a public discussion forum.
2) The representatives of these CAs are not allowed to publicly disclose
information about these customers -- it could mean loosing their jobs.
3) The representatives of these CAs don't want to get publicly singled
out in this particular discussion topic.
>> Quote from Frank in 2010: "I'm willing to give CAs and their
>> <enterprise> customers a greater "presumption of innocence", and allow
>> them to continue the current practice of engaging in private business
>> transactions without disclosure of customer identities, as long as the
>> activities associated with those transactions are private in nature (as
>> they would be for third-party private CAs as defined above) and as long
>> as we have reasonable assurances that legal and audit frameworks are in
>> place to ensure that those activities don't impact typical Mozilla users
>> on the public Internet."
>>
>> I have not seen any data indicating that these third-party private (or
>> enterprise) subordinate CAs are engaging in activities that impact
>> typical Mozilla users on the public Internet.
>
> Yes, I remember Frank's post, to which I replied:
> "What I hear you saying is that there is no potential benefit to Mozilla
> users, but if the trust is violated there is potential harm. If that's
> the case, why wouldn't we want to curtail the practice of undisclosed
> private Sub-CAs? It's all upside from the perspective of the users."
> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc/0e8ef7ea5ceee714#5a209af015067cb4
>
>
> And then the other folks on the thread agreed:
> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc/0e8ef7ea5ceee714#6a3af87d8821e0b0
>
>
> I like Frank, and he is a smart guy, but his word isn't law...
Frank is still the owner of Mozilla's CA Certificate Policy.
https://wiki.mozilla.org/Module_Owners_Activities_Modules#Governance_Submodule:_Mozilla_CA_Certificate_Policy
> particularly his word from before the recent spate of exploits.
Which, again did not have to do with third-party private subCAs.
> His statement also assumes "reasonable assurances that legal and audit
> frameworks are in place..." which has been cast into doubt.
Cast into doubt by what events? The recent CA Communication required
that the network security review and intrusion detection be performed
for all CAs and their sub-CAs and RAs. While irregular activity was
reported for some of these, I have yet to hear of a CA finding irregular
activity regarding a third-party private subCA.
Frank's comments did not say that the reasonable assurances had to be
publicly disclosed. If they are not publicly disclosed then I guess that
means that the CA Certificates Module owner needs to have the reasonable
assurances.
Kathleen
I think we're all agreed on this. Including, we're all agreed that CAs
won't agree :)
It was pointed out by some CAs that they would agree if everyone else
agreed. The problem with this is that the CAs will sit back and do
nothing. Including not agree. (Stuff might happen in the backrooms, of
course.)
So we are in a bit of a constitutional crisis. There is no effective
regulation over the CAs, as they simply decline to be regulated. As
they are part of the "consensus" they simply need say nothing.
Time to break the consensus?
> 2. Browsers must enforce
I am cautious of throwing that role on to vendors only. It is quite
traumatic, and it also raises fiscal liabilities, in that once they've
asserted responsibility, then they'll be held to it.
But, I guess I'm trying to stop the tide here. Assuming that it's going
to happen, here are some notes I wrote a while back on one way to do it:
https://wiki.mozilla.org/CA:Dispute_resolution
> Brian has mentioned his plan to implement intermediate enforcement
> mechanisms against badly behaving CAs such that the "big stick" of
> root removal is not the only option. I think that this is a great idea.
Probably, all ideas need to be on the table. We need to solve the CA
crisis somehow.
Or maybe we don't. Does the Mozilla end-user get effected one way or
another?
iang
> > 2. Browsers must enforce
>
> I am cautious of throwing that role on to vendors only. It is quite
> traumatic, and it also raises fiscal liabilities, in that once they've
> asserted responsibility, then they'll be held to it.
>
> But, I guess I'm trying to stop the tide here. Assuming that it's going
> to happen, here are some notes I wrote a while back on one way to do it:
>
> https://wiki.mozilla.org/CA:Dispute_resolution
>
> > Brian has mentioned his plan to implement intermediate enforcement
> > mechanisms against badly behaving CAs such that the "big stick" of
> > root removal is not the only option. I think that this is a great idea.
>
> Probably, all ideas need to be on the table. We need to solve the CA
> crisis somehow.
>
> Or maybe we don't. Does the Mozilla end-user get effected one way or
> another?
It seems to me the folks in Iran have the most experience with
consequences of a failed CA (I don't believe the government did it to
launch a massive phishing campaign). Perhaps it would be a good idea
to ask the people whose lives depend on privacy and the system. Fiscal
liability is probably the least of their worries.
Jeff
Just a thought, but CAs ought to exclude such cases from their
liabilities and purpose. For example I've seen CAs that explicitly
prohibit using their digital certificate for use with flight
communications, atomic power stations and all kind of similar critical
systems that could potentially threaten the lives of people.
PKI in use at the Internet wasn't probably meant to protect for such
live-threatening situations, but really just to provide a certain degree
of privacy for financial and private communications. I've also written
up some more thoughts in my blog about this subject:
https://blog.startcom.org/?p=229
As a community we might not necessarily have to agree to provide
protection for such purposes, as software may have vulnerabilities too
that could lead to similar attacks on communications with the same
result, such as also the SSL protocol itself was subject to such flaws
recently already. Probably there is a limit to what can be reasonable
achieved and provided and what is beyond.
That's fine in concept, but implementation has issues.
You might exclude loss of life in your contract. But if your CA wrongly
issues gmail's cert, you not only have to contend with your CPS being
breached and repo trashed ... but also a tort of some form from whoever
gmail's provider is.
If gmail's provider is nailed for contributory manslaughter in Southern
District NY court, then they turn around and take you for damages. Your
contract means nothing because you haven't got a contract with them.
Problem #1: All CAs need to agree on the line in the sand; universal
implicit cross-certification claims scalp again.
Problem #2: Where do we draw that line in the sand? A year ago it
would have been non-controversial, but that window of liability
management is closed. The Iranians (allegedly) are still smarting from
their nuclear power hack from the Israelis (allegedly) ... and they've
(allegedly) attacked an email provider for revenge...
So, draw a line from hotmail to hot reactors. Pick any point in between :)
> PKI in use at the Internet wasn't probably meant to protect for such
> live-threatening situations, but really just to provide a certain
> degree of privacy for financial and private communications. I've also
> written up some more thoughts in my blog about this subject:
> https://blog.startcom.org/?p=229
>
> As a community we might not necessarily have to agree to provide
> protection for such purposes, as software may have vulnerabilities too
> that could lead to similar attacks on communications with the same
> result, such as also the SSL protocol itself was subject to such flaws
> recently already. Probably there is a limit to what can be reasonable
> achieved and provided and what is beyond.
>
If you can get other CAs to tell vendors that, we might have a hope.
Taher Elgamal called it, as did RSA [0].
iang
[0] links in this post:
http://financialcryptography.com/mt/archives/001337.html
Perhaps not - which means, when using a browser even with SSL for
certain purpose you do on your own risk because it's not covered. We are
talking about software used on personal computers (and friends) here,
not flight controllers.