I'm confused because it sounds like you're advocating for the status quo but I didn't think that was your position?
Original Message From: Gervase Markham Sent: Tuesday, March 24, 2015 4:25 AM To: Peter Kurrasch; Richard Barnes; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Name Constraints On 24/03/15 05:01, Peter Kurrasch wrote: > 1) As a first step on the path to fairness, perhaps there can be > agreement that the goal of any name constraint policy should be the idea > that a single root does not "get the whole internet". Maybe a whole CA > organization might, but a single root should not. Could everyone agree? I don't agree on that, because I don't yet think that a forced name constraints policy for all CAs is a good idea at all. Your proposal might reduce the risk to some degree, but not much. If I broke into Foo CA's issuing system, and Foo CA has two roots, one for one half of the internet, and the other for the other half, then I can just use whichever half I need. This provides extra protection only in the case where a CA is part-compromised and it happens to be the wrong part for what the attacker wants to do. The other problem is that some CAs don't have more than one root, and in fact it's been both Mozilla and Microsoft policy to encourage CAs not to multiply roots without end. I heard a soft limit of 3 being mentioned at one point for Microsoft's program, although that may have been a rumour. Certainly, some CAs in our program only have a single root. Do they get penalized by being given only half the Internet because of that? > 2) I picture a broadcast mechanism along the lines of OneCRL that > would/could play a role in helping determine when a root's scope has > become too broad. This mechanism combined with live browsing data could > flag potential problems and conflicts with the policy agreements. This all sounds like a massive technical effort and an administrative nightmare, as well as affecting reliability (as all complex systems do). You would need to make a clear case for a significant improvement in the security of the internet, realisable in the short to medium term, in order for something like this to even be contemplated. > I guess a final thought is that the work Richard (?) did to come up with > an initial set of constraints for the trusted roots is a good place to > start the conversation of how to fairly divvy up the DNS space. It's > like saying to the CA's, "since these are the areas where your business > is, why not just constrain yourself to these TLD's?" As long as it's not > carved in stone it should be a reasonable way to go...? If you were running a business with, say, 10 different product lines, and the government came along and said "you're currently making these 10 different products; we are going to pass a law which says you can't make any other products without making it public that you intend to move into a new area of business, asking us for permission and, if we decide to give it, waiting a year or so", how would you react? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy