In defense of WoSign/WoTrus/StartCom's parent company, QiHoo 360... While I don't personally attach a great value to the ethics of the owning entity of the CA/proposed CA, for those who do or would attach such importance, I would like to point out that the various vulnerabilities and security research teams at QiHoo do a lot of good work and indeed are quite often credited for discovery of vulnerabilities in a plurality of complicated systems and products:
For example, QiHoo 360's researchers are among the largest contributors by unique vulnerabilities discovered and documented in Google's Android OS. Similarly, quite a lot of firmware and OS in Apple products have vulnerability reports crediting QiHoo 360 for discovery of vulnerabilities. These include such "big-ticket" banner issues as the Broadcom wi-fi driver bug which allowed for arbitrary code execution. It's clear that the parent organization employs a great many talented security and vulnerability researchers who are materially contributing to the overall security and integrity of computing, mobile, network, and software technologies. I'm sure there's plenty to criticize about them as well, but the fact remains... They are securing a lot of undisputed credit for novel discovery of significant security issues in products millions are using daily -- and they're disclosing these to the vendors and fixes are happening. If it is decided that we want to attach "corporate level" responsibility to current and prospective CAs, I submit that this is a data point for consideration. As to my own opinion, I do not think the behavior of the ownership hierarchy or corporate entity is of direct concern. Rather, I think the behavior of the people involved is where the ultimate story starts and stops. On Wed, Nov 22, 2017 at 1:10 PM, Matthew Hardeman <mharde...@gmail.com> wrote: > > > On Wed, Nov 22, 2017 at 12:00 PM, Ryan Sleevi <r...@sleevi.com> wrote: > >> >> Given that WoSign's CP/CPS itself was met by standard boilerplate, I >> would pose that it is insufficient - the past behaviour as a predictor of >> future behaviour means that the existing documentation approaches are >> insufficient to make an evaluation about the trustworthiness going forward. >> >> How would this be remedied? It seems at a minimum, there'd need to be >> safeguards within the new documents that sufficiently describe and mitigate >> the past failures of safeguards. >> >> > Presuming that the to-be-offered-up CP/CPS/infrastructure > architecture/key+cert chains proposed/self-assessment questionnaire, etc, > met the current definition of bog standard acceptable -- specifically, > those same documents with the name of a new entrant entity would be > accepted, it would seem that, in your position, we're back to applying a > different standard for this proposed inclusion? > > Therefore, I think we must define what aspect of the same material > application with the same documents, save for entity name, makes it > acceptable in some cases and not acceptable in others. > > Is it the fact that it is the same legal entity applying which causes this > proposed different standard to attach? I'll expound on why I believe that > would not be an appropriate marker. > > Is it the fact that it is the same management team applying which causes > this proposed different standard to attach? Similarly, I'll explain why I > believe this IS a concern for which different standards can be applied. > > It's really hard to look to a legal entity as a strict boundary for > behavior. The legally crafty entity can always spin up a sibling or child > entity to overcome that hurdle. We can then talk about beneficial > ownership as a factor, but as an entity scales larger, so too the > probability that the true beneficial ownership is merely an equity > investment player, broadly unconcerned with the day to day management. I > don't know a decent way to define the boundary of a CA as aligning to a > corporation or corporate family and then holding that legal entity > accountable for an indefinite period of time. There are just too many ways > around it. I think standards drawn this way are likely to have perverse > consequences both as to inclusion and exclusion. > > If the particular investor/lendor who presently holds title to the > proposed CA is of little to no interest then, what can we rely on in those > matters which require us to extend this nebulous concept of trust and good > faith? I believe the key lies in those members of the management team and > operations team who have access and authority to impact the behavior of the > CA. I think those people are knowable and that reward and consequence can > be taxed upon those individuals as appropriate. I submit that the root > programs have both the carrot and stick with which to convey those same > said rewards and consequences. > > If instead what Ryan proposes is that the now current definition of > "standard" for CP/CPS/other docs/etc should be modified to include specific > gotchas and mitigations for the history as learned from > WoSign/WoTrus/WoTrust/StartCom then I think there is a case to be made > there. Having said that, the things we're trying to codify from the > mentioned prior behavior will be really hard to codify. There's not an > easily written mitigation for "We're run by someone who'll sell anything, > including that which industry consensus says must not be sold." > > >I think an important part of this discussion is trying to understand to > what side of Hanlon's razor did WoSign's actions fall (or, to that matter, > of any CA). If it was incompetence, is there sufficient explanation for how > such incompetence happened? If there >sufficient evidence that both the > specific incident and any underlying causes have been remediated? > Alternatively, if we allow it to be attributed to malice (or, for that > matter, greed), is it possible to design a system of trust that is robust > against such >considerations? If not, is it an acceptable risk to take > going forward. If we can, what are those controls and expectations? > > As to this question, I put forth that the discussion should proceed as to > the hypothetical scenario in which greed, intentional non-compliance, and > intentional deception as an attempt to cover for said greed and > non-compliance were all the reality. The backdated issuance of an SHA1 > server certificate for Australian payments process Tyro, for example, is > hard to imagine in another light. I suspect Tyro realized they suddenly > needed something that couldn't legitimately be ordered and started reaching > out to CAs that they thought might sell them something special for a > premium. I think someone (presumably the operations leadership) at > StartCom at that point saw a revenue opportunity with which he might > impress the ownership. > > If all of that is how that played out, I reiterate my question: Is that > about the CA / proposed CA or is that about the individual management who > caused these matters to arise? I submit that it is properly taxed upon the > individual. > > Just my thoughts... > > Matt Hardeman > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
