On Thu, Jan 25, 2018 at 4:20 PM, Peter Bowen via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Jan 25, 2018 at 1:02 PM, Ryan Sleevi via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Thu, Jan 25, 2018 at 3:34 PM, Wayne Thayer <wtha...@mozilla.com> > wrote: > > > >> On Thu, Jan 25, 2018 at 11:48 AM, Jonathan Rudenberg < > >> jonat...@titanous.com> wrote: > >> > >>> This is a great improvement. I think we should also ask that any CAs > >>> using these methods immediate disclose that they are and the procedures > >>> they are using, as well as the date they expect to complete a review of > >>> their implementation, and then provide the review when it is complete. > >> > >> > >> The scope of this issue is much different from the method .9 and .10 > >> vulnerabilities - lot of CAs use methods .1 and .5. Asking them all to > >> answer these questions seems likely to just yield a bunch of "we > reviewed > >> our implementation and it is perfect" emails. What do you hope to learn > >> from this disclosure that hasn't already been discussed? What do others > >> think? > >> > >> If we want to hold CAs accountable for this disclosure, we'll need to > turn > >> this communication into a survey and give CAs a certain amount of time > to > >> respond, so we won't have answers for weeks. > >> > > > > I'm curious why the "for weeks" disclosure. > > > > Mozilla has required since April 2017 that CAs disclose the method of > > validation they use - https://wiki.mozilla.org/CA/ > Communications#April_2017 > > (Specifically, Action #1), which MUST be completed before July 21, 2017. > > > > Jonathan's proposal to require the CAs "immediately disclose that they > are" > > is thus consistent with the CA simply reading its CP/CPS. Further, "the > > procedures that they are using" is also a matter of existing CP/CPS > > documentation and/or supporting documents - making them explicitly > public. > > > > So this merely leaves the question of "The date they expect to complete a > > review of their implementation, and then provide the review when it is > > complete". > > What incentive is there for a CA to ever answer with anything other than: > > a) that they may use any method allowed by Mozilla, and > > b) they have reviewed their implementation and believe that it > complies with Mozilla's requirements? > I'm not sure I follow - there's two different things at play here. Combining Wayne's text with Jonathan's proposal, the question is to require CAs disclose whether they're specifically using 3.2.2.4.1 and 3.2.2.4.5. If they are, additional work is asked of them. If they aren't, their work is done. Thus the incentive for the CA is to be precise about what methods they are using, because if they aren't using those methods, then there's no work for them to do. The Baseline Requirements already require - using a specific proposal from Mozilla - that CAs "SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain." So every CA already has the information available as to - What methods they COULD use to validate - What methods they DO use to validate And the request is that they simply aggregate and provide that information as part of a normal disclosure process, for information that should be readily available, in order to inform policy and the potential risks of changing policy, both per-CA and per the ecosystem. A more concrete question may be: - Does your CP/CPS permit you to use 3.2.2.4.1? - Does your CP/CPS permit you to use 3.2.2.4.5? - If you answered yes to either of the previous two questions: - In the past 6 months, how many certificates did you issue? - In the past 6 months, how many certificates did you issue that contained a domain validated using 3.2.2.4.1 - In the past 6 months, how many new domain validations using 3.2.2.4.1 were performed - In the past 6 months, how many unique domains reused a previously completed 3.2.2.4.1 validation - In the past 6 months, how many certificates did you issue that contained a domain validated using 3.2.2.4.5 - In the past 6 months, how many new domain validations using 3.2.2.4.5 were performed - In the past 6 months, how many unique domains reused a previously completed 3.2.2.4.5 validation The first two questions involve reviewing the CP/CPS. The CA should be qualified to so. The remaining questions 'should' be simple queries on their issuance database. A CA that has not maintained accessible records of such issuance - for example, putting them in a locked filing cabinet, in the basement, beneath the leopard - is a CA not equipped to effectively respond to security risks. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
