Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

Fri, 13 Nov 2020 17:13:22 -0800 

On Fri, 13 Nov 2020 12:11:57 -0500
Ryan Sleevi via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:

> I want it to be explicit whether or not a CA is making a restrictive
> set or not. That is, it should be clear if a CA is saying "We will
> only accept these specific methods" or if the CA is saying "We will
> accept these methods, plus any method at our discretion".

I see this as essentially redundant. Any major CA which does not choose
"We will accept ... any method at our discretion" under your formulation
stands to be humiliated repeatedly until they revise their policies to
say so as I explained previously.

I guess the existence of resulting let's call it "Sleevi boilerplate" is
harmless, but it seems foolish for Mozilla to demand people write
boilerplate that doesn't achieve anything.

> I encourage you to make use of PACER/RECAP then.

I examined 7 pages of RECAP results for "Key Compromise". Most of them
meant this phrase in the sense of "important settlement of differences"
but some were cryptography related.

Here is what I found:

There were verbatim copies of RFCs 2459 and 3281 submitted as evidence
to a patent case that ends up involving Acer, Microsoft and others.

Another case submitted as evidence the ISRG CPS. It's a Lanham Act case
roughly along lines Let's Encrypt followers will be familiar with, the
plaintiff wants a certificate revoked, Let's Encrypt says they just
issue certificates for DNS names, have the court take the DNS name away
if that's the issue. Not relevant here.

And finally there's an EFF Amicus briefing which says basically key
compromise is bad, which everybody here already knew.



I found no evidence that there are in fact such "secret documents" and
no evidence there's a problem here that would or could be fixed by your
preferred language for this Mozilla policy.

If you have a _much_ more specific claim than just "Somebody has
mentioned it in court at some point" then please make it.


Nick.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
  • Policy 2.7.1:MRSP Issue #20... Ben Wilson via dev-security-policy
    • Re: Policy 2.7.1:MRSP ... Dimitris Zacharopoulos via dev-security-policy
      • Re: Policy 2.7.1:M... Ben Wilson via dev-security-policy
        • Re: Policy 2.7... Dimitris Zacharopoulos via dev-security-policy
        • Re: Policy 2.7... Ryan Sleevi via dev-security-policy
          • Re: Policy... Nick Lamb via dev-security-policy
            • Re: P... Ryan Sleevi via dev-security-policy
              • R... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Peter Bowen via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy

Reply via email to