[ Disclaimer: This message is my personal view and does not necessarily represent that of my employer. ]
On Thu, May 19, 2016 at 9:15 AM, <kirkhall...@gmail.com> wrote: > This has been a very surprising discussion to me. If most CAs were asked “Do > you think CAs are supposed to investigate and revoke one of your certificates > that is reported to you for injecting malware on Relying Parties clients?” > their answer would be “Yes, of course – that’s required under the Baseline > Requirements (BRs) and related WebTrust audit requirements.” Kirk, Addressing your question directly, the _Trust Service Principles and Criteria for Certification Authorities, Version 2.0_ (better know as WebTrust for Certification Authorities 2.0) very much does not require such. This WebTrust audit is designed to provide assurance that the CA does what it says it does when it comes to Subscriber Registration and Certificate Issuance. It is up to the CA to determine the rules about when it issues a certificate and document those in its CPS. When it comes to public certificates, which is what the Mozilla CA program covers and are the subject of the BRs and EV Guidelines (EVGs), there is assurance that certificates do the the following: Provide global identification by certifying: 1) A binding between the identity of a natural person or institution and a cryptographic key 2) Confirmation that the identified named entity authorized issuance of the certificate Alternatively they explicitly may not provide identity. Provide assurance that the subscriber either had control of the hosts, control of the domain namespace, or was a contact for the domain namespace for all DNS names or the equivalent for all alternative names in the certificate at the time the certificate was issued. In some cases, such as an electronic identity certificate, there may be no alternative name. This is all that they do. Now some CAs may choose to make further assurances, for example they may assert that the person named in the certificate is a citizen of a certain country or assert that the company is a member of an organization or has been licensed for certain activities However this is outside the scope of the BRs and EVGs. Just like state, province, territory, or district issued identity cards in the US and Canada, Certificates do not directly assert anything about the character of the individual identified. Someone with multiple felony convictions can get an identity card. However, what the identity card or certificate does so it help provide a consistent identity that can be looked up in systems to find out about the character of the person. Certificates for a critical part of securing communication. They solve the a priori knowledge problem when initiating a conversation with a previously unknown party. The certificate allows the one party to say to the other "I'm Bob and you can be assured of that because our mutual friend Charlie confirmed a much". This avoids a switcheroo taking place where someone else claims to be Bob. If CAs want to add additional assertions to certificates, that should be their prerogative. If this is included in a manner that allows automatic extraction, then it is something that firewall or end point security vendors might be able use to help classify websites. For example, a certificate can declare it is a website operated by a national government which might cause the security software to make certain decisions. However this is out of scope for the BRs, EVGs, and Mozilla CA program. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
