On Mon, Apr 3, 2017 at 7:18 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I see it as part of the underlying reasoning. Mozilla et al wants > disclosure in order to take action if the disclosed facts are deemed > unacceptable (under policy or otherwise). Upon receiving the > disclosure, the root program gains the ability to take counteractions, > such as protesting to the issuing CA, or manually blocking the unwanted > SubCA cert via mechanisms such as OneCRL. The rules don't make the CAs > wait for the root programs to get upset, but must allow at least zero > time for this time to happen. That's not correct. > I believe you're suggesting simultaneously across all root programs, is >>>> that correct? But that's not a requirement (and perhaps based on the >>>> incorrect and incomplete understanding of point 1) >>>> >>> >>> >>> Yes, across all root programs, that is the key point, see #0. >>> >> You're still incorrect here. > Also, it is argued as a logical consequence of #3, #2, #0, i.e. >>> assume another root program enacts similar rules. Once the SubCA cert >>> is disclosed on the CCADB for Mozilla and Chrome, the SubCA operator >>> can download the SubCA cert from the CCADB and use it to make users of >>> that other root program trust issued certificates before that other >>> root program received the disclosure. >>> >> >> I see zero problem with the SubCA receiving the certificate >> immediately from the issuing CA, even prior to disclosure in the >> CCADB. The proposed requirement is that the SubCA not issue prior to >> confirming the disclosure has been made. >> > I agree with Peter here. > Not receiving the certificate prevents a rogue or rookie SubCA from > meaningfully issuing prematurely. After all, SubCA operators are only > humans, and usually less experienced in all this than long time major > CA operators. > That's not a problem we're trying to solve here. That's great that you care, but you've also highlighted the many problems with your proposal, so perhaps it is a bad goal no longer worth discussing? > By symmetry, if Mozilla has to shut down the CCADB for maintenance for >>> 2 days, another root program might receive and publish the disclosure >>> first, causing the same problem for users of Mozilla and Chrome >>> products. >>> >> >> I'm not sure where you see the "problem for users" here. This is no >> different than what happens today for many CAs. >> >> > The problem for users is that their Browser/client trusts a certificate > from a SubCA that their trusted root program has never seen, and thus > not even had a chance to form an opinion about. That's great. That's not the goal. The rest logically shakes out as irrelevant. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy