On Mon, August 31, 2015 4:02 pm, Kathleen Wilson wrote: > I have always viewed my job as running the NSS root store, which has > many consumers, including (but not limited to) Mozilla Firefox. So, to > remove something like root certs that only have the email trust bit > enabled requires input from the consumers of NSS. It should not be > removed just because Firefox doesn't use it.
I absolutely agree on the principles here, but there is an element of considering how the policies apply. For example, the CA/Browser Forum, of which Mozilla participates in, has produced four documents - SSL Baseline Requirements, SSL Extended Validation Guidelines, EV Code Signing, and Network and Certificate System Security. Of these, only two are explicitly related to active Mozilla Root Inclusion and participation - the SSL Baseline Requirements and the SSL Extended Validation Guidelines. EV Code Signing is not implemented by any Mozilla-developed product. The Network and Certificate System Security requirements are interesting, in that they've been incorporated into WebTrust's audit criteria (and are thus necessary to get a WebTrust audit), although Mozilla never formally required such (and, indeed, many of the NetSec requirements are just wrong/bad for security/already outdated, and I would generally discourage such a requirement). Under the current Inclusion Policy, the only non-TLS audit schemes are ETSI TS 101 456 (as it relates to QCP / QCP + SSCD) and ISO 2118:2006 (proposed for removal, and rightfully so). The remaining schemes from ETSI TS 102 042 incorporate the SSL BRs (EVCP, EVCP+, DVCP, OVCP), although NCP/NCP+/LCP may provide an out. Put differently, for both "code signing" and "email" trust bits, what does Mozilla look for? What should the community look for? If you can't get a WebTrust SSL BR audit (or, more aptly, that the audit makes no statements or assertions about the non-SSL issuance), then it would seem the only CAs that should have these bits are those audited under ETSI/ISO, and if and only if "they provide a service to the Mozilla users" - which seems to include Honest Achmed :) > Is the mozilla.dev.security.policy forum the correct place to have this > discussion about the NSS root store only including root certs with the > Websites trust bit enabled? Seems so. It's where we discuss the Inclusion Policy, and this seems to be tightly related. I guess, differently stated, there doesn't really seem to be an actionable requirements on Code Signing / EMail CAs, other than "the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entitys behalf;" and "the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holders behalf", respectively. This is why I would encourage the removal of these trust bits, because it's unclear what grounds exist for granting - or removing - these trust bits. If there can be actionable standards developed - either in the CA/Browser Forum or the Mozilla community - then perhaps it may be worth continuing this program. But I suspect both tasks are non-trivial and significant. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
