On 14/11/2016 12:46, Gervase Markham wrote:
Hi all,
RFC 6962bis (the new CT RFC) allows certs below technically-constrained
sub-CAs (TCSCs) to be exempt from CT. This is to allow name privacy.
TCSCs themselves are also currently exempt from disclosure to Mozilla in
the Common CA Database.
If this is the only privacy mechanism available for 6962bis, I suspect
we will see a lot more TCSCs about, particularly if CAs figure out ways
to mint them at scale within the letter of the BRs and other requirements.
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on the basis of
being a mass-attack on network security.
CT is getting to be very useful as a way of surveying the certificate
ecosystem. This is helpful to assess the impact of proposed policy
changes or positions, e.g. "how many certs don't have an EKU", or "how
many certs use a certain type of crypto". If certs under TCSCs are
exempt and this becomes popular, CT would become less useful for that.
One possible answer is just to say: "Mozilla will not accept 'but we
have a lot of certs under TCSCs which will be affected by this' as a
valid reason not to do something. In other words, if you hide stuff and
it breaks, you get to keep both pieces. But in practice, such a line
might not hold.
Thoughts and suggestions?
Gerv
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
