Looping back in the mail list which was dropped by mistake.... The issues at hand are: Who will choose to self-constrain? Who should be forced to constrain? Who benefits from any constraints made? To that last question, it's a bit of a paradox because we are asking an entity to take action that has minimal benefit to itself. The benefit from the constraints actually goes to everyone else on the internet! True, an argument could be made that a CA which constrains itself will be less of a target for attack because their ability to issue fraudulent certs is, in theory, reduced. While I don't disagree with that argument I don't find it all that persuasive because quite apart from whether a CA is a desirable target, once it's been compromised the result is the same: everyone within that CA's sphere of influence is at risk. If that sphere of influence is "the whole internet" we now have a big problem. If that sphere is only "everyone in .cn" then I'm still concerned, but less so. So that's the thinking behind my previous suggestion that "nobody gets the whole internet". A compromise or sloppiness or deliberate fraud at one CA should not mean that everyone is potentially at risk. Now, as to who will want to self-constrain, I don't think it's a very long list. Anyone who chooses to do so should be lauded, of course, but they are basically doing it out of the goodness of their hearts. As I said, the benefit doesn't really go to the CA and since there is a potential loss of business if they can't issue certs for some customers I really don't see a strong motivation to self-constrain. As to who should be forced to constrain, this is controversial. I would argue that everyone should be forced, but that has certain problems. One can argue that only government-run and certain other CA's should be forced but then we are put in the position of having to decide objectively which ones are more trustworthy than others. That can be a tricky path to navigate and doesn't change the underlying threat: that any CA can be a victim of outright attack, sloppy operations, deliberate bad acts, and even simple mistakes. So while it may be safer, forcing constraints on everyone creates problems. And while it may be more doable, forcing only some CA's might not have enough of an impact. It's a giant risk/reward calculation. Hopefully this better explains where I'm coming from.
On 24/03/15 17:26, Peter Kurrasch wrote: > Be careful you don't invalidate your whole argument: that people > should self-constrain even though the security benefit is minimal. It depends from whose perspective. The security benefit to the CA system of HARICA, the Greek academic CA, name-constraining itself to .gr, .org and .net (I think) was minimal. But the security benefit to HARICA itself was significant, because if they can't issue for .com it makes them much less of a target. So I think some smaller CAs may be open to voluntarily taking on name constraints. > I'm also not sure I see the reason to target government-run CA's? You really don't see any reason why people might be less trusting of government-run CAs? :-) Also, we have an audit exception for government-run CAs. They often have internal audits only, and we can't easily tell them to go away and get a WebTrust audit. So we might decide that in order to take advantage of that exception, you have to be name constrained. Gerv | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
