On Wed, May 27, 2015 at 4:32 PM, Peter Kurrasch <fhw...@gmail.com> wrote:
> I see this question (new root cert/private key or continue with the > existing one) as being less about security and more about what got us here > in the first place. > > From Ryan's reply: > > 1) Certificates that violate policy (such as the one that lead to CNNIC's > quasi-removal) may have been issued that, if CNNIC were accepted, would > become recognized as valid. > > > I think this is the crux of the problem: how do we want to treat all the > existing certs which chain to this root? If we let the existing root stand > it seems like we're saying to CNNIC, "Go ahead and do these audits and then > once you've been accepted back in the program we'll just pretend that this > whole thing never happened." > > There are probably good reasons to do just that (convenience to cert > holders, expediency in reinstating CNNIC's root) but then I have to rethink > what started this whole mess: the loss of trust/confidence in the > management of this CA. Since losing that trust, why would (should?) we > allow any of those certs to be valid once more? How do we know which ones > are safe to trust? > > To my mind, if the question being asked is how do we reestablish trust in > CNNIC then I think the answer is new private key, new root cert, new > audits, and new certs issued to existing cert holders. If it's a different > question being asked, we'll probably have a different answer. > I think Peter is on the right track here. I agree that if CNNIC is to reapply, it should be with a new root. It creates a clean break between the past and the future. It clarifies that the new audits that are required apply to the new thing, and that the old thing is dead. It's marginally easier to implement. This does have the consequence that certificates issued under the old root after the April 1 cut-off will never be valid (unless they're re-issued under the new root). (I understand that there are a few of these that have been issued.) I'm OK with that consequence. --Richard > > > Original Message > From: Gervase Markham > Sent: Wednesday, May 27, 2015 4:41 AM > > On 26/05/15 22:26, Kathleen Wilson wrote: > > But this raises the question of whether their re-application can be for > > the same (currently-included) root certificates, or if it has to be for > > a new root certificate. In other words, should we consider taking the > > stance that we will require a new root certificate for their > > re-application? (i.e. the restrictions would remain in place for the > > currently-included roots.) > > I see no security advantage in requiring new roots. Doing so would be an > inconvenience (one might say "punishment") to CNNIC, and someone might > want to argue for it on those grounds, but I can't see how requiring new > roots changes any security evaluation, because there has been no > suggestion that their roots are either a) technically unsound, or b) > compromised. > > Gerv > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
