Hi Ryan, I should start by reiterating what you already know, but might be a useful reminder for others - no agreement has been made between Mozilla and Qihoo/StartCom/WoSign. We gave them advice on what we thought the community might like to see, but they are responsible for their plan, and the Module Owner will take the final decision on what action Mozilla will take. I have my own opinions, which clearly will carry some weight, but the decision is not mine. So the following is an explanation of how I myself am viewing the situation.
My view is that WoSign was not run in the way a CA should be run, in a variety of ways. This was not generally true of StartCom, which was reasonably well-run (although not perfect). Once WoSign bought StartCom and StartCom started being influenced by WoSign technology and management, things went downhill there too. But I feel that re-separation of the two - at all levels, ownership, management and technology - might allow StartCom to continue as a going concern. This would imply StartCom has management Mozilla trusts, no ownership connection through WoSign, and uses reliable technology not authored at WoSign. Someone else viewing the same evidence might conclude that it's too late for such a separation, and the damage is done. I would understand that conclusion, but it's not my view. On 07/10/16 15:48, Ryan Sleevi wrote: > Could you explain how Mozilla feels this line of reasoning and > explanation is different than, say, how Mozilla handles Symantec > inclusion requests? > > For example, it seems you're suggesting that: > * This was the result of rogue employees acting outside of > appropriate policies Well, the employee in question set the policies. Misconduct at the CEO level is somewhat more serious than misconduct at a much lower level. > This response is very similar to that offered by Symantec when news > of their misissuance first came to light, but it was later revealed > that the issues were much deeper, much more systemic, and continued > to persist well beyond the dates it was claimed for remediation. I would say the key differences with Symantec are that WoSign's misdemeanours involved actual misissuance to third parties (e.g the github certificates) and provable lying, e.g. about ownership and SHA-1 backdating. I don't see either of those serious components in the Symantec case. This is not to minimise what happened at Symantec, but I do think the WoSign situation is more serious. But then, even before this, I think it was already the case that you took a dimmer view of the happenings at Symantec than I did (your view perhaps being based on more complete information). > I mention this not to suggest that StartCom is the same as Symantec, > but to highlight precisely how this seems like this seems to move > from a neutral, consistent standard, into one that favors some CAs > while not treating others equally. No decision has been made on how to treat StartCom; as soon as the plan emerges (which needs to be soon) we can take a view. The kind of robust challenge that you are providing is most welcome :-) > For example, it was suggested that there would be a similar > investigation into StartCom as there was with WoSign, with a > gathering of issues for public discussion. Is that still the plan? The last part of the "WoSign and StartCom" document said: "We are open to accepting further evidence, including whether there are any significant errors in the above which would affect the narrative, whether there have been any other problems with WoSign or StartCom’s certificate issuance, and also any data relevant to our current view that it is appropriate to treat these two CAs together." No-one has come forward with additional StartCom issues since then. We know about StartEncrypt (WoSign code) and Tyro (authorized by the WoSign CEO). If you feel that invitation was insufficiently publicised, I hereby issue it again. As I said in my previous email, Qihoo's plans are enough, I think, count as "data relevant to our current view" and I think we should at least consider the two CAs separately, although that doesn't preclude reaching the same conclusion for each. > It > sounds like you're suggesting that Mozilla has reached some agreement > for remediation with StartCom independent of WoSign, despite these > two companies having the same management structure for the past year, > despite having undergone significant infrastructure changes (which > are trivially observable by outsiders, both via CT and via > interactions with the CA), and, as evidenced by StartEncrypt, sharing > significant development infrastructure. Both represent to the same > parent company, which allowed these issues to happen in the first > place, so what assurances do the public have that they won't happen > again? As noted above, no agreement has been reached. However, as the person who took a meeting with Qihoo's Head of Security, who will now chair StartCom, I feel that he does understand the issues and I am willing to give his chairmanship and Inigo Barreia's CEO-ship an opportunity to demonstrate they can run a CA well. Inigo's track record at Izenpe is good - I'm not aware of any incidents involving them. > For example, this would suggest that, if a company wished to minimize > risk of it's misissuances - or to actively engage in the practice > while limiting liability - it might separate out certificates into > subsidiary companies. They could then fully share infrastructure, > development, etc - but only the one that actively "misissued" would > be penalized, while the other sister companies (which share the same > 'everything') could continue to be trusted, so long as the deck > chairs were reshuffled after every iceberg. Indeed, this would be a bad situation - which is why, in my mind, a different deal for StartCom would be predicated on them moving quickly to a position where they share _nothing_ with WoSign, rather than everything. The WoSign document announced, almost in passing, the ownership and management changes planned, and I expect the StartCom remediation plan to give details about the technical and infrastructure changes planned. > In a separate thread regarding SHA-1 exception process, you > highlighted that the ecosystem around root inclusion has failed to > improve, resulting in risks being borne by the WebPKI, due to the > lack of risk or cost for these "exceptional" situations where > customers ignore communications and changes in the security > landscape. I'm curious if Mozilla feel's that the CA market is > different, as it would seem to be suggested here. I think that the plan we propose for WoSign is a clear statement that the sort of behaviours seen there are unacceptable. I don't see them as getting off lightly. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
