Its hard not to agree with you.
>At the most basic level, it's not clear to me >to whom this legislation is
>directed. Is it >citizens within the EU?
This is funniest part of the game, in fact member states supposed to maintain
their TSLs but to my best knowledge, there is no obligation to anybody or any
public service to rely on those lists.
Also according to the legislation those lists are maintained primarily by the
agencies (so called supervising bodies) that are responsible for the legal
recognition of of TSPs (CAs), which in practice leads to even more confuse and
contraversy. Don't be suprised if you find the same supervisors adopting their
own rules (for legal recognition of TSPs) which turns out to be an alternative
to an applicable audit.
So I'd say your concerns are quite close to real picture.
At the same time IMHO the use of harmonized trust anchor containers (in
technical sense) at the OS level or even by the browsers should have been
welcomed by many application developers.
Thanks,M.D.
Sent from my Samsung device
-------- Original message --------
From: Peter Kurrasch <fhw...@gmail.com>
Date: 10/07/2015 21:57 (GMT+02:00)
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: EU Trust-lists (was: Letter from US House of Representatives)
This is an interesting topic. Setting aside politics and technical
considerations and instead focusing on just security implications I'd like to
share the following thoughts. I admit readily that I have not done much
research on this topic so I hope people will make corrections or otherwise let
me know if I'm missing important information.
* I don't think calling it a Trust List is appropriate and perhaps is better
called "I Hope We Can Trust This" List. Or perhaps call it a "Mandatory
Recognition of Authority" List. I didn't come across anything that leads me to
conclude that this list is any more trustworthy than other list I might
generate, sign, and distribute.
* Perhaps unintentionally (and in a counter-intuitive sense) this legislation
increases the attack surface that a bad actor might use. I took only a brief
look at the list that Erwann pointed us to below and it seemed to me there are
new authorities that are not already included in the Mozilla trust store. This
means that if I don't feel like attacking one of the trust store CAs, I know
have a whole slew of other places to go after. Just how much damage I might
cause was not immediately clear to me but that's almost secondary: the
legislation could actually improve my chances of success as a bad actor.
* At the most basic level, it's not clear to me to whom this legislation is
directed. Is it citizens within the EU? Users of any web sites hosted within
the EU? People outside the EU who might wish to conduct business with other
people and businesses who happen to be located within the EU? Note that in
addition to being a basic question this also goes to my previous point about
how much larger does the threat landscape (and potential for harm) become?
* One of the more fascinating ideas for me was actually paragraph 61 of the
WHEREAS portion of the legislation: that electronic identities should be viable
into the future. This opens up the possibility (again, perhaps unintentionally)
that revocation of a person's certificate or other "signature materials" might
need to be specifically addressed.
* That previous point leads to what I think might be a major gap in the
legislation: policies and regulations for when an individual loses control of
his or her electronic identity. We know this will happen and I think we have to
assume that it will happen a lot. What are the implications to that, from the
standpoint of the legislation and it's intended application? And any legal
ramifications?
* Regarding Mozilla's support of any such lists, I think any proposal that
requires a user to decide to accept/decline the list or an authority must be
disqualified from further consideration. People make the wrong choices all the
time so if you are dependent on a user making the right choice in order to
establish/preserve a chain of trust it seems to me your chances of success are
no better than a coin toss.
For me the bottom line in all this is that it seems the legislation is well
intentioned but by creating a parallel universe of trust anchors outside of the
existing PKI system (that has all the same issues and problems of the existing
system) it actually does little to further the cause of making the internet
safer and more trustworthy.
For whatever it's worth.
From: Erwann AbaleaSent: Tuesday, July 7, 2015 4:24 PMTo:
mozilla-dev-security-policy@lists.mozilla.orgSubject: Re: Letter from US House
of Representatives
Bonjour,
Le mardi 7 juillet 2015 03:02:48 UTC+2, Peter Bowen a écrit :
> Thinking about this from a technical perspective, rather than a
> political one, this seems very similar to a user deciding to add
> additional certificates to their trust store. I think the primary
> differences are the need to add a set of certificates and possibly
> automatically update the list.
>
> If there was a standard for publishing trust lists where the list
> comes in one file and is signed, then I can imagine an option to
> "import list" and the list could contain a URL to fetch new versions.
You mean, like the ETSI TS 102231 standard? It is used today by European
members, and European Commission.
The first list of lists is located at
https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
and references 31 national lists of trust services.
The standard defines both a (somewhat obsolete) ASN.1 encoding, and a
(currently used) XML encoding for this list.
> Then the user could simply select to use the "EU Trust List", the
> "China Trust List", or the "US Government Trust List". The browser
> would periodically fetch new versions of the list, validate the
> signature (using the key of the previous list), and switch to that
> list. Microsoft already has their SST format; possibly this could be
> the starting point for an open format usable by all.
>
> This would avoid the need for a vendor to maintain hundreds of trust
> lists and allow customers to deploy their own trust list policies.
I don't like it, but I'm afraid european users will be more or less supposed to
trust what is declared in a TSL. Because of eIDAS.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
