On Wed, Nov 22, 2017 at 12:00 PM, Ryan Sleevi <r...@sleevi.com> wrote:
> > Given that WoSign's CP/CPS itself was met by standard boilerplate, I would > pose that it is insufficient - the past behaviour as a predictor of future > behaviour means that the existing documentation approaches are insufficient > to make an evaluation about the trustworthiness going forward. > > How would this be remedied? It seems at a minimum, there'd need to be > safeguards within the new documents that sufficiently describe and mitigate > the past failures of safeguards. > > Presuming that the to-be-offered-up CP/CPS/infrastructure architecture/key+cert chains proposed/self-assessment questionnaire, etc, met the current definition of bog standard acceptable -- specifically, those same documents with the name of a new entrant entity would be accepted, it would seem that, in your position, we're back to applying a different standard for this proposed inclusion? Therefore, I think we must define what aspect of the same material application with the same documents, save for entity name, makes it acceptable in some cases and not acceptable in others. Is it the fact that it is the same legal entity applying which causes this proposed different standard to attach? I'll expound on why I believe that would not be an appropriate marker. Is it the fact that it is the same management team applying which causes this proposed different standard to attach? Similarly, I'll explain why I believe this IS a concern for which different standards can be applied. It's really hard to look to a legal entity as a strict boundary for behavior. The legally crafty entity can always spin up a sibling or child entity to overcome that hurdle. We can then talk about beneficial ownership as a factor, but as an entity scales larger, so too the probability that the true beneficial ownership is merely an equity investment player, broadly unconcerned with the day to day management. I don't know a decent way to define the boundary of a CA as aligning to a corporation or corporate family and then holding that legal entity accountable for an indefinite period of time. There are just too many ways around it. I think standards drawn this way are likely to have perverse consequences both as to inclusion and exclusion. If the particular investor/lendor who presently holds title to the proposed CA is of little to no interest then, what can we rely on in those matters which require us to extend this nebulous concept of trust and good faith? I believe the key lies in those members of the management team and operations team who have access and authority to impact the behavior of the CA. I think those people are knowable and that reward and consequence can be taxed upon those individuals as appropriate. I submit that the root programs have both the carrot and stick with which to convey those same said rewards and consequences. If instead what Ryan proposes is that the now current definition of "standard" for CP/CPS/other docs/etc should be modified to include specific gotchas and mitigations for the history as learned from WoSign/WoTrus/WoTrust/StartCom then I think there is a case to be made there. Having said that, the things we're trying to codify from the mentioned prior behavior will be really hard to codify. There's not an easily written mitigation for "We're run by someone who'll sell anything, including that which industry consensus says must not be sold." >I think an important part of this discussion is trying to understand to what side of Hanlon's razor did WoSign's actions fall (or, to that matter, of any CA). If it was incompetence, is there sufficient explanation for how such incompetence happened? If there >sufficient evidence that both the specific incident and any underlying causes have been remediated? Alternatively, if we allow it to be attributed to malice (or, for that matter, greed), is it possible to design a system of trust that is robust against such >considerations? If not, is it an acceptable risk to take going forward. If we can, what are those controls and expectations? As to this question, I put forth that the discussion should proceed as to the hypothetical scenario in which greed, intentional non-compliance, and intentional deception as an attempt to cover for said greed and non-compliance were all the reality. The backdated issuance of an SHA1 server certificate for Australian payments process Tyro, for example, is hard to imagine in another light. I suspect Tyro realized they suddenly needed something that couldn't legitimately be ordered and started reaching out to CAs that they thought might sell them something special for a premium. I think someone (presumably the operations leadership) at StartCom at that point saw a revenue opportunity with which he might impress the ownership. If all of that is how that played out, I reiterate my question: Is that about the CA / proposed CA or is that about the individual management who caused these matters to arise? I submit that it is properly taxed upon the individual. Just my thoughts... Matt Hardeman _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
