On Monday, September 17, 2018 at 1:18:47 PM UTC-5, Wayne Thayer wrote: > On Mon, Sep 17, 2018 at 9:43 AM Wayne Thayer <wtha...@mozilla.com> wrote: > > > Even though the discussion period has ended, Mozilla will continue to > > consider factual information that is submitted as comments here: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1325532 > > > > Your concern about "without comment and then get approved" may stem from a > > misunderstanding of Mozilla's process, as documented here: > > https://wiki.mozilla.org/CA/Application_Verification A lack of comments > > indicates that the community is satisfied with the review that was > > performed on the inclusion request. > > > > Finally it seems that your concerns with this request have to do with > > browser vendors also operating CAs? If so, I think that is a topic that is > > much broader than this inclusion request. Google already operates as a CA > > via cross-signing, as do Microsoft and Apple. > > > > Correction: Google is already a root CA in Mozilla's program because they > acquired two roots from GlobalSign, as discussed here: > https://groups.google.com/d/msg/mozilla.dev.security.policy/1PDQv0GUW_s/oxDWH07VDgAJ > > On Mon, Sep 17, 2018 at 8:29 AM jtness--- via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> I am disappointed I didn't see this before the three week comment period, > >> because this is an incredible disaster. Mozilla is seriously considering > >> permitting a company with a completely unilateral ability to shut other > >> Root CAs down (via their market share over Chrome and Android, and that the > >> CAB has no legal authority to countermand their decisions on what CAs they > >> trust), to then also be a competitor to these companies which it can > >> unilaterally remove from the market? This is the sort of world-ending crud > >> that shouldn't pass through a random Google Group without comment and then > >> get approved. > >> > >>
The risk of any given browser vendor also being a Root CA is small as most browser vendors do not have the requisite market share to make unilateral decisions. Google possesses over 60% of the browser market and 80% of the mobile operating system market. What avenues does Mozilla have to realistically push back if Google abuses their effective authority over the Internet via browser share in the CA space? Presumably "Firefox becomes the browser that can't establish a connection to google.com or gmail.com" is outside of the realm of realistic scenarios. Neither Apple nor Microsoft has the market share to summarily decide a CA is no longer in business, Google can. It would seem to me that Google is already the judge, jury, and executioner of the public key infrastructure, and they're about to have a strong financial interest in each CA that is found guilty. Presumably if Google were to summarily execute another large CA in the future, after launching their own certificate offering, they would see a large uptick in business. With regards to your linked discussion about the GlobalSign root acquisition, I see nothing but more reasons to be concerned. Is there any reason for Google to have acquired the roots from GlobalSign except to backdoor their way into already being in Mozilla's trusted store? I admit to being a layman on this matter, so what exactly is the legitimate case for Google acquiring GlobalSign roots? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy