Currently the Mozilla root program contains a large number of roots that are apparently single-nation CA programs serving their local community almost exclusively, including by providing certificates that they can use to serve content with the rest of the world.
For purposes of this, I define a national CA as a CA that has publicly self-declared that it serves a single geographic community almost exclusively, with that area generally corresponding to national borders of a country or territory. As highlighted by the discussion, this raises some common concerns for such CAs: 1. Due to the technical way Mozilla products handle the root program data, each national CA is trusted to issue certificates for anyone anywhere in the world despite them not having any self-declared interest to do so. This constitutes an unintentional security risk as highlighted years ago by the 2011 DigiNotar (NL) incident. 2. For a variety of reasons, the existence of all these globally trusted national CAs, has made establishment of such national CAs a matter of pride for governments, regardless if they currently have such CAs. 3. There is a legitimate concern that any national CA (government run or not) may be used by that government as a means to project force in a manner inconsistent with being trusted outside that country (as reflected in current Mozilla policy), but consistent with a general view of the rights of nations (as expressed in the UN charter and ancient traditions). 4. Some of the greatest nations on Earth have had their official national CAs rejected by the root program because of #1 or #3, including the US federal bridge CA and China's CNNIC. This in turn leads to some practical issues: 5. Should the root program policies provide rules that enforce the self-declared scope restrictions on a CA. For example if a CA has declared that it only intends to issue for entities in the Netherlands, should certificates for entities beyond that be considered as misissuance incidents for that reason alone (DigiNotar involved misissuance in a much more literal sense). 6. How should rules for the meaning of such geographical intent be mapped for things like IP address certificates ? For example should the rules use the geography indicated in NRO address space assignments to national ISPs? Or perhaps some information provided by ISPs themselves? (Commercial IP-to-country databases have a too high error rate for certificate policy use). 7. How should rules for the meaning of such geographical intent be mapped for certificates for domains under gTLDs such as visit- countryname.org or countryname-government.com ? 8. Should Mozilla champion a specification for adding such geographic restrictions to CA cert name constraints in a manner that is both backward compatible with other clients and adaptive to the ongoing movement/reassignment of name spaces to/between nations. 9. Should Mozilla attempt to enforce such intent in its clients (Firefox etc.) once the technical data exists? 10. The root trust data provided in the Firefox user interface does not clearly indicate the national or other affiliation of the trusted roots, such that concerned users may make informed decisions accordingly. Ditto for the root program dumps provided to other users of the Mozilla root program data (inside and outside the Mozilla product family). For example, few users outside Scandinavia would know that "Sonera" is really a national CA for the countries in which Telia-Sonera is the incumbent Telco (Finland, Sweden and Åland). This overall issue was touched repeatedly in the thread, especially point 3 above, but the earliest I could find was in Message ID <mailman.257.1550879505.6708.dev-security-pol...@lists.mozilla.org> posted on Fri, 22 Feb 2019 23:45:39 UTC by "cooperq" On 07/03/2019 18:59, Jakob Bohm wrote: > This thread is intended to be a catalog of general issues that come/came > up at various points in the DarkMatter discussions, but which are not > about DarkMatter specifically. > > Each response in this thread should have a subject line of the single > issue it discusses and should not mention DarkMatter except to mention > the Timestamp, message-id and Author of the message in which it came up. > > Further discussion of each issue should be in response to that issue. > > Each new such issue should be a response directly to this introductory > post, and I will make a few such subject posts myself. > > Once again, no further mentions of Darkmatter in this thread are > allowed, keep those in the actual Darkmatter threads. > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy