On 06/09/2016 16:10, Peter Gutmann wrote:
Peter Bowen <pzbo...@gmail.com> writes:
In addition to the direct impact, I note that WoSign is the subject of cross-
signatures from a number of other CAs that chain back to roots in the Mozilla
program (or were in the program).
This is incredible, it's like a hydra. Do the BRs say anything about this
type of cross-certification, or is it just "find as many other CAs as you can
to cross-certify you so you can't be killed".
The BRs say that if the cross-certified CA is deemed no longer
compliant, the cross-signing CAs must retract their cross-signature or
be deemed non-compliant themselves. This was already explained
elsewhere in this discussion.
Why would a public CA even need cross-certification from other CAs?
Because the delay from starting up a new trustworthy CA until all
deployed client software has been upgraded to trust that new CA is
unbearably long (bordering on infinite as the required support
percentage approaches 100.000000000%). Hence it is common for new
CAs (other than the now historic RSADSI CA) to acquire cross-signatures
from established (or even defunct) CAs.
This is exacerbated by the fact the at least one Browser vendor
(Microsoft) no longer distributes the full list of trusted CAs with
their clients, but instead checks against an online copy of their root
stores as needed, giving people very little control over what they
trust other than a few historic CAs.
In relation to your well-published PKI criticism, it is noted that some
of the many new CAs found in root stores are governments who (unlike
commercial CAs) are the actual authority on the identity of their
citizens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
