All, While this ongoing discussion regarding Symantec is going on, I wanted to chime in quickly to make a suggestion about graduated trust. Many of the proposals that Mozilla, Google, and other teams running CA programs put forward in cases of CA misbehaviour is to transition a CA from “trusted” to “partially trusted”: that is, to explicitly distrust certain CA-issued certificates that would ordinarily be trusted. For example, one of the WoSign remediations was to distrusted new WoSign certificates: that is, certificates whose notBefore date was after a certain date.
While I’m very supportive of this kind of remediation, it is not a remediation that non-browser implementations can follow very easily. For example, I run a downstream non-browser HTTP client[1] that by default uses a processed version of the Mozilla CA database[2] to define its list of trusted roots. This is very convenient, as it allows me to delegate the job of running a CA program to Mozilla and MDSP, a collection of people much better equipped to handle the job. This is a common approach throughout the open source ecosystem: for example, curl also makes available a processed version of the Mozilla trust database. Unfortunately, it is currently *not* possible to distribute any kind of partial trust information: that is, tools that consume the Mozilla trust database can only completely trust, or completely distrust, a CA. That means that non-browser tools cannot follow the guidance of MDSP or Mozilla, even though we’d very much like to. In practice, this means that we will almost always continue to trust certificates that browsers would not. This prevents us from providing a unified front on this issue, and also exposes our users to risk from misbehaving CAs that we continue to trust to issue new certificates, even though Mozilla would not. We’d like to follow your lead on this: however, it’s just beyond our resources to keep writing custom code to handle these cases each time they come up. If Mozilla is interested in doing a substantial public service, this situation could be improved by having Mozilla and MDSP define a static configuration format that expresses the graduated trust rules as data, not code. Essentially, a file could exist beside the list of root CA certificates that notes any graduated trust rules (e.g. must have notBefore earlier than x, must contain signatures without these hash algorithms, etc.) that would be used by Firefox to build its graduated trust rules. That file could then be distributed with processed versions of the Mozilla trust database, and tools that are able to understand it could apply the graduated trust rules that Mozilla is applying as well. This is just a suggestion: defining, writing, and maintaining this config file would be a decent amount of work and would provide pretty minimal benefit to Mozilla directly. I wouldn’t be at all surprised to find that this is not something Mozilla is interested in pursuing. However, I think it would be of substantial value to the wider HTTP and TLS community if we were able to form a unified front with Mozilla in trusting CAs. Thanks, Cory _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
