On Wed, Nov 22, 2017 at 3:34 PM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > I don't see any reason why we would want to take that risk. > > It's not easy to spin up a new CA, but it's also not rocket surgery. > Why should we prefer to re-admit a previously distrusted organisation > over taking a chance with someone new and untried ? Is there a shortage > of organisations interested in this role ? I don't think so. > > Running a publicly trusted CA is not a right which was temporarily > suspended, it's a privilege you might earn, Mozilla should operate with > a default assumption that losing this privilege is permanent. > > I would entirely concur with Mr. Lamb's position on the key issue of trust/distrust versus any policy mitigations in CP/CPS/etc. The long and storied history of the CA ecosystem certainly suggests that key issues of trust and integrity of the operator are not able to be effectively controlled for by policy mitigations. I essentially agree on the matter of the "prefer" matter. I would put forth that a CA being reborn out of the StartCom/WoSign/WoTrus debacle should effectively be considered a new CA and given no free passes for anything prior. Again it's back to this "What _is_ the CA?" Is it the brand name? Is it the legal entity? Is it the ownership, to such extent as we can determine it? Or is it the least common denominator (trust and integrity wise) of the set of privileged operations staff and executives at any given moment? Certainly brand names can be tarnished: StartCom and WoSign, for example. If I were them I'd never reapply in those names, but whatever... A brand name is just that. It doesn't signify a scope upon which to place trust. The legal entity? In most jurisdictions you don't even need an attorney to quickly fashion a subsidiary and sibling entity with ownership in common. If the same management team came forth with a whole new Deleware based (on paper) corporation, would we actually give a free pass -- meaning no prior actions by the management causing us to disadvantage the new CA -- to "Phoenix Rising CA of Delaware totally not Chinese, Inc."? If we would.... forgive my bluntness... that's stupid. If we would not.... Why not? It's a new company with a whole new (empty) history? How do you objectively define that it's not really new? We could say the ownership? Possible. QiHoo 360 owned StartCom, owned and continues to own WoTrus. Maybe since the beneficial ownership is the same, we consider them the same. This does not follow logically, however. DigiCert is great CA. However, they're owned by a private equity concern: Thoma Bravo. While their name has come up -- most recently due to the Symantec certificate business acquisition -- I don't recall anyone here ever having a serious discussion as to whether Thoma Bravo is fit to own some of the most compatible and widespread root certs / keys. If DigiCert is just another property Thoma Bravo owns, why should we be concerned? I think, instinctively, we know that we'll judge DigiCert on the DigiCert management's actions. Leading me back to... The people. It's not new if it's the same people in positions of privileged access and decision authority. It is new if a competent executive and operations team who haven't burned the community's good will and trust step forward and indicate that they will be taking custody and control of the assets and operations of the CA / prospective CA. Speaking only with respect to my personal opinion, whether or not there's a certificate authority called WoTrust / WoTrus in the root store doesn't concern me. I am terribly concerned with whether or not Richard Wang has authority and access at ANY trusted CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy