On Thursday, April 10, 2014 10:10:58 AM UTC+1, Kaspar Janßen wrote: > On 10/04/14 10:08, Peter Eckersley wrote: > > > Kaspar, suppose that Mozilla followed your suggestion and removed > > > StartCom's root certificates from its trust store (or revoked them!). What > > > would the consequences of that decision be, for the large number of domains > > > that rely on StartCom certs? > > I hope that an appropriate policy will force authorities to reconsider > > their revocation principle. I don't want to harm someone nor I want to > > work off in any way. > > > > The key is that anybody should be able to shout out "don't trust me > > anymore!" without a fee. Isn't that part of the trustchain idea? > >
The actual policy of the CA might annoy me, and I might think it's wrong, but that in and of itself is not a reason to remove trust. I did have them in my trust store up until now, despite having recommended against them for some time due to their policy, which I consider a bait-and-switch. In other words, I trusted their cryptography, but disliked their business model. Many of my contacts in the XMPP world used their free certificate offering to secure their servers. However, I have removed them from my trust stores at this time because of the number of cases I'm personally aware of where potentially compromised end-entity certificates have not been revoked due to an inability or unwillingness to pay. This does absolutely cause problems; in fact there's a clear argument that it's lowering security by removing my ability to authenticate the certificates of other XMPP servers. However, it's also removing the risk of authenticating a compromised certificate as genuine due to lack of revocation. To put it more simply, the certificate authority has a very high volume of untrustworthy certificates in circulation. At this point, I can no longer generally trust certificates signed by the CA, and I would recommend others do not trust the CA either. This is an unusual situation, and I'd expect cases such as this to be both rare and to require decisions on a case-by-case basis. > > I read a few times that Chrome doesn't even check if a certificate is > > revoked or not (at least not the default settings). That leads me to the > > question: Is it mandatory for a CA in mozilla's truststore to have to > > ability to revoke a certificate or is is only an optional feature > > provided by some CAs? StartCom can revoke certificates, and are willing to do so for a fee. This is not a question of technical ability. Any CA, to function as a legitimate and trustworthy authority, ought to be able to revoke a certificate, and provide revocation information as published in their certificates according to the relevant standards. StartCom do pass this bar. As to whether or not Chrom[ium] checks revocations, it's possible to set it to do so (and therefore be secure), and insecurity of some client applications is obviously no excuse for a CA to be insecure, but this is really a moot point in this case. Dave. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
