Hi Wallas, Setting aside Ryan's petulance, if I may, I think the simple answer to all your questions can be stated thusly: no one is in charge and we depend on people doing the right things. Mostly I think that works out OK but there's just no escaping that much of the PKI system relies on nothing more than "please don't do that" and "okay I promise I won't". Requirements and specifications and best practices and audits and open discussion forums such as this one all help but if any given actor chooses to lean in a different direction there is little recourse we can take. What's worse is that the rationale for taking any such action is so narrow that only the most egregious cases are ever pursued. The obvious poster child for egregious cases is DigiNotar. Cases which are not so clear cut would have to include the CFCA request under discussion right now and the TeliaSonera situation of the recent past. In both cases the concerns are real and justified and yet the available options seem limited. I'd like to see us improve upon that, but that's a whole other conversation. In any case, I hope this helps answer your questions.
On Tue, July 29, 2014 2:01 am, Wallas Smith wrote: > Thank you very much for your precise answers. This helped me to come to > new questions : Which you will find already answered at https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ , as I suspected. > > 1) According to what I understand, when trying to express the chain of > Certificate trust starting from a Mozilla User, the upper trust is placed > into Governmental Regulations and/or Professional code of Conduct of > auditors. > Could you tell me more about the Governmental Regulations you were > mentioning ? > Also, is there a global regulation which gather all these governmental > regulations, and who controls them ? In other words, who is on top of the > chain of control ? This was already answered in my previous email, which provided enough information for you to discover the relationship of ETSI and WebTrust (as Audit Frameworks) to the CA/Browser Forum's Baseline Requirements, and how those flow into the Mozilla requirements. Which is, of course, also answered by https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ > 2) If I still understand you well, Mozilla never really check by > themselves the good "quality" of a given CA at a specific date (by quality > I am not talking about the required content which can be easily checked), > but they report their responsibility to Auditors and Governmental > Regulations. Do Mozilla still have some exceptional process for checking > fully a CA by themselves, that could lead to the removal of a CA in their > product? This is also already answered by https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ > > 3) Finally, if Mozilla don't have contract with auditors, do Mozilla have > contract(s) with any stratum of what I called the trust chain (with the CA > itself or Governmental regulations, or above depending of your answer) to > discharge their responsibility in case of failing CA? Who is responsible > in case of failing/neglected/wrongly handled CA in front of the law ? Once again, already answered. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Also, read the CA's CPs/CPSes to understand what liabilities and how they fit. | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
