On Mon, Apr 13, 2015 at 06:15:52PM -0500, Peter Kurrasch wrote: > Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov > and let's further suppose that CNNIC includes this cert in the CT data > since they have agreed to do that. What happens next? > > Where I'm going with this is that I'm trying to figure out if agreeing to > support CT is a hollow promise. It seems like it might deter bad behavior > on the part of a cert issuer but it's effectiveness in that regard is > limited if nobody is checking the CT logs. (By way of comparison, > consider the deterrence impact of using name constraints.)
Yes, if nobody is watching the CT logs, there is no *direct* benefit from the single act of publishing all issued certificates. That said, the simple fact that someone *could* be watching what is going on will tend to affect the behaviour of a CA, as it does on any activity involving humans. There is also the benefit that, since the logs are public in perpetuity (or a reasonable approximation thereof), past bad behaviour can be detected by reviewing the historical log data, rather than having to notice it at the time (which is the primary limitation in SSL census data, as useful as that is). > Apart from this CT question, it seems to me that requiring name > constraints on future submissions from CNNIC is reasonable. I don't > see how they have a compelling interest to issue certs beyond Chinese > domains in any sense that we would find agreeable. I'm not a fan of browser-imposed name constraints on CAs, at a philosophical level. An important principle of the Mozilla root program, IMO, is that it works for the public good (insofar as "the public" is represented by "users of Mozilla products"). A name constraint on a CA says "we're going to protect *most* of the Internet from a CA's bad behaviour, but the people who visit sites under these prefixes... they're on their own". To my mind, if a CA isn't trustworthy enough to be trusted to issue certificates for every site on the Internet, they shouldn't be trusted to issue certificates for *any* site on the Internet. In the case of the proposed name constraints for CNNIC, it leaves an especially bad taste in my mouth, as it could easily be interpreted as "those Chinese people deserve what they get". - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
