On 04/11/2016 13:19, Gervase Markham wrote:
CT is coming to Firefox. As part of that, Mozilla needs to have a set of
CT policies surrounding how that will work. Like our root inclusion
program, we intend to run our CT log inclusion program in an open and
transparent fashion, such that the Internet community can see how it
works and how decisions are made. (It is quite possible that, like our
root program, other entities without the resources to run their own
programs might adopt our decisions.)
This policy will need to consider at least the following questions. The
point of this posting is to gather more _questions_, not to work out the
answers. In other words, I am trying to work out the scope of the
policy, not what the policy will be.
So, please add comments with additional _questions_ you think the policy
will need to address. What the answers should be is (for now) off-topic.
Questions I have so far:
* How do we decide which logs to trust?
* Do we have requirements for uptime?
* Do we have requirements for certs accepted?
* Do we have requirements for the MMD?
* How do we decide when to un-trust a log? What reasons are valid
reasons for doing so?
* Do we want to put monitoring in place to ensure our log quality or
uptime requirements are met?
* Are there any CT-related services Mozilla should consider running or
supporting, for the good of the ecosystem?
* Do we want to require a certain number of SCTs for certificates of
particular validity periods?
* Do we want the Google/non-Google diversity requirement? Or any other
diversity reqirement?
* Which certs, if any, should we require CT for, and when?
* Do we want to allow some CAs to opt into CT before those dates?
* Do we want to require some CAs to do CT before those dates?
* How do we allow organization internal non-public CAs to not reveal
their secret membership/server lists to public CT systems or otherwise
run the (administratively and technically) expensive processes
required of public CAs. For example many medium or large companies
have in-house CAs issuing certificates for communicating with their
internal servers, VPNs, extranets etc. Such internal CAs may very
from primitive off-line CAs (no online active components such as OCSP
responders or CT loggers) to off-the-shelf enterprise CA packages such
as Microsoft Windows Server Certificate Services, xca or EJBCA.
* How do we prevent public CAs from misusing the exceptions for private
CAs?
* Even though not currently accepted (surprise) by the advertising
giant Google, should Mozilla set or promote standards for acceptable
CT privacy options such as name truncation to first level below public
suffixes, omission of the local part of e-mail addresses of accounts
other than the RFCxxxx standard mailboxes (Postmaster, webmaster,
hostmaster etc.) etc.?
* Should Mozilla impose be a multi-national diversity requirement, e.g.
that the CT services used must not belong (directly or via ownership
etc.) to a single national jurisdiction such as USA or PRC. For
example if one CT log is run by Mozilla or Google (bot US
organizations), should there be at least one CT from a staunchly
independent country and organization, such as a South African owned CT
log hosted in India?
* Should the CT logs be independent of the issuing CA (e.g.
Symantec/Thawte can run a CT log, but it only counts for certificates
from other CAs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
