On Wednesday, September 21, 2016 at 12:05:49 PM UTC-7, Peter Kurrasch wrote: > I have a hard time seeing how any sort of white list solution will actually > mitigate any of the bad behavior exhibited by WoSign.
This doesn't help understand where your disconnect is, or how we might educate and inform you about different perspectives. > So the problem I have with a white list is the implication that while we > don't trust the CA to issue new certs, we do have trust in the continued > operation of other parts of the CA. Once a certificate is issued, it's issued. What continued operations, beyond revocation (which doesn't work in the Web PKI) do you see as necessary? > I'm just having a hard time seeing how there is anything left to trust when > it comes to WoSign. Maybe the best outcome would be a finding of > irreconcilable differences and for us to go our separate ways? Maybe we just > want different things in a global PKI system? It's unclear who you're referring to here. I think, judging by some of your replies, that some of the experts in this space don't agree with you or your conclusions, but this may simply be a teachable opportunity. To try to explain to you: A wholesale distrust is, in effect, a statement that we believe no certificate, past, present, or future, is trustworthy. This is a very strong statement, and it's very hard to make, even under significant evidence, but is sometimes necessary (for example, when an unknown number of unconstrained sub-CAs have been issued). However, if you're willing to believe that no unconstrained sub-CAs exist, and if you're willing to accept that most, but not all, certificates were issued according to the policies and community expectations, then such a statement is overly harsh. By overly harsh, I'm not considering the reception of the CA, I'm considering the message that browser vendors would be sending to users and to sites that have chosen to use such certificates. For example, do you believe that if a user tries to access https://www.wosign.com, they should be shown an interstitial? Do you believe that is a helpful message to end users? Do we believe that the specific certificate is untrustworthy? In most CA cases, when evidence of malfeasance is discovered, it's not 100% of the certificates. It might be .001%. But that .001% is significant enough to be uncomfortable to trust NEW certificates, because that margin is too high. Further, once disclosed via CT, we can reasonably be confident that EXISTING certificates conform to appropriate policies. The only continuinity of business that a CA would potentially need to provide, in the event of a distrusting, is OCSP and CRLs. And we know those simply don't work at the WebPKI, which is why CRLSets and OneCRL and Certificate Distrust List exists. So I have trouble with your suggestion that a whitelist is an indication of continued trust in a CA, other than it's a recognition of the fact: "Most" of the certs are probably OK, but "new" certs have too high a margin of risk to continue to be accepted. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy