I think Ryan's commentary reflects, again, that the discussion here seems to be about trust.
In that spirit, I put forth some questions of hypotheticals to provoke further contemplation and discussion: 1. Presume that QiHoo 360 / WoTrus / WoTrust / StartCom actually purchased one of the small but still active currently included CA player -- perhaps from a business not primarily a CA. Maybe a bank that's a root program member. Let's assume that the acquired entity's management reached out properly during the negotiations and post-closing and persuaded Mozilla that the same management team is still in place and will continue to have custody of the infrastructure (including keys, etc) and day to day control of the operations. Additionally, said team commits to notify the root programs immediately if that should change. 1a. Would Mozilla / the community grant this change of ownership? 1b. If so, on what basis? 1c. If not, on what basis? 2. Presume that the same hypothetical acquiree is acquired by QiHoo 360 / WoTrus / WoTrust / StartCom. Presume that this is announced during or after the closing with Mozilla. Presume that post-closing, the executive management and operations staff reach out to the root program to notify Mozilla that they are stepping down from their roles -- or sharing their roles -- with Richard Wang (hypothetically). 2a. Would Mozilla / the community grant this change of CONTROL? 2b. If so, on what basis? 2c. If not, why not? I reiterate that I think this is about the finite (and generally pretty small) set of people with privileged access and responsibility, and it is about trust in those people to abide the rules or in the alternative notify immediately if they are no longer able to abide. I think a CA manager who make such commitments formally or informally can be individually held to account. A severe enough issue, such as intentional deception, could be visited with a presumption of a lifetime ban on working for any included CA, with exceptions and reversals rare and hard earned. Like in so many other areas of life, people running CAs must be personally accountable and must enjoy the privileges which accompany the good reputation of a long and reliable and storied career while in on the other hand able to enjoy the punishment attendant in ruining one's name (within a given scope, at least). Matt Hardeman On Wed, Nov 22, 2017 at 10:52 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Mozilla did not formally require this, but it is true that as far as we > >> can see, Richard Wang is still effectively in charge of WoSign/WoTrus. > >> > >> > > I think assessing and discussing the viability of a return of WoSign > > would be a lot easier if we had at least a proposed draft master plan > > from WoSign, so we could discuss if that plan (if correctly and honestly > > implemented) would be sufficient. > > > Alternatively, and I think what Gerv was requesting, was what concerns > people would raise with respect to a reapplication, such that WoSign/WoTrus > could ensure sufficient consideration went into such plans. > > Obviously, there will be concerns with implementation details, and finding > those out before WoTrus implements is a useful and viable task. But > similarly, by outlining the broader concerns, it might help inform. > > For example, one theme that can be picked up on this thread is a concern > around the potential inconsistencies with respect to Richard Wang's role at > WoTrus. Given his direct and personal involvement in the misissuance > practices, one view might be that he's a fundamentally untrustworthy actor > who has repeatedly displayed behaviours that undermine community trust in > the organizations he is affiliated with. The statements about his > transition out of CEO, and his apparent resumption of those duties, might > underscore concerns about the management structure. It may be that a > solution is for a response similar to what Mozilla recently shared with > respect to DigiCert and Symantec, and a concern that any organization in > which Richard Wang has a decision making capacity may not be a trustworthy > organization. > > Or it might be that some feel that is too strong, and look for technical > measures - such as no inclusion of WoTrus logs until Mozilla has the > technical capability to enforce Certificate Transparency on such > certificates, such that any risks can be expediently detected and trust > removed. > > These are all concerns that would arise during a discussion phase - after > the stated requirements of Mozilla have been met, but due to potential > overwhelming community concern about any trust in a Richard Wang-affiliated > CA or an organization with a history as sordid as WoTrus/WoSign/WoTrust. > > If we assume good faith of WoTrus, which may be overly generous given past > behaviour, then the goal of this discussion would be addressing the > concerns that would exist with _future_ trust, now that the past/present > trust has been addressed, such that systems can be designed and evaluated > to appropriately consider such feedback. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
