On 12/7/20 2:21, Ryan Sleevi wrote:
I want to be clear here: CAs are not trusted by default. The existence of a CA, within a Root Program, is not a blanket admission of trust in the CA.
Here we have a deep disagreement: A CA within a Root Program must be considered as a trusted CA by default. Mistrust in a CA about its ability to operate safely can occur BEFORE being admitted in the Root Program or AFTER being removed of the Root Program. Relaying parties trust in the Root Program (this implies that they trust all the CAs that are part of the program without exception).
To obtain this confidence, CAs must comply with all the requirements that are imposed on them in the form of Policies, Norms, Standards and Audits that are decided on an OBJECTIVE basis for all CAs. The fulfillment of all these requirements must be NECESSARY, but also SUFFICIENT to stay in the Root Program.
Some CAs may want to assume a leadership role in the sector and unilaterally assume more additional strict security controls. That is totally legitimate. But it is also legitimate for other CAs to assume a secondary role and limit ourselves to complying with all the requirements of the Root Program. You cannot remove a CA from a Root Program for not meeting fully SUBJETIVE additional requirements.
I want to highlight that both the "destruction of uncompromised keys" and "the prohibition to reuse uncompromised keys" are two security controls that do not appear in any requirement of the Mozilla Root Program, so CAs have no obligation to fulfill them. If someone considers these security controls as necessary, they can be requested to be included in the next version of the corresponding standard.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
