On Mon, Dec 28, 2020 at 6:35 AM Ramiro Muñoz via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> El miércoles, 23 de diciembre de 2020 a las 0:01:23 UTC+1, Wayne Thayer > escribió: > > On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy < > > dev-secur...@lists.mozilla.org> wrote: > > > > > Hi Ben, Ryan, Burton and all: > > > > > > Camerfirma will present its claims based on a description of the > problems > > > found by associating the references to the specific bugs. > > > After making a complete analysis of the bugs as presented by Ben, > always > > > considering that bugs are the main source of truth, we see that the > > > explanations offered by Camerfirma could generally be better > developed. We > > > hope to make up for these deficiencies with this report. > > > > > > > > It's worth pointing out that in April 2018, the Camerfirma '2016 roots' > > inclusion request [1] was denied [2] after a host of issues were > > documented. At that time it was made clear that ongoing trust in the > older > > roots was in jeopardy [3]. While some progress was made, the number, > > severity, and duration of new and ongoing bugs since then remains quite > > high. In this context, I don't find these new disclosures and > commitments > > from Camerfirma to form a convincing case for their trustworthiness. > > > > - Wayne > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=986854 > > [2] > > > https://groups.google.com/g/mozilla.dev.security.policy/c/skev4gp_bY4/m/snIuP2JLAgAJ > > [3] > > > https://groups.google.com/g/mozilla.dev.security.policy/c/skev4gp_bY4/m/ZbqPhO5FBQAJ > > Hi Wayne > > I understand your concern but, Camerfirma has indeed achieved huge > improvements in terms of Mozilla’s policy compliance during recent years. > Camerfirma nowadays has a much more mature management system. It’s true, > some bugs have occurred but, looking at the bugs dashboard, our situation > cannot be considered very different from other CAs. So there's three specific claims here, as to why serious consideration of distrust isn't warranted: 1. Camerfirma has made huge improvements 2. Camerfirma nowadays has a much more mature management system. 3. Camerfirma is not very different from other CAs. These statements are ones that are sort of "true by degree". That is, if I was to dispute 1, Camerfirma would/could rightfully point out that they were *much* worse before, and so yes, it's true that they've improved. Similarly, to point out at how laughably bad the old system was does show that there is a degree of truth in 2. And, as I laid out in my own post, Camerfirma *is* not very different from other CAs - CAs that have been distrusted, for not very different reasons than Camerfirma. I'm sure Camerfirma meant to mean "not much different than other *currently trusted* CAs", but that's equally a degree of truth - many individual incidents affected other CAs, even though the sheer volume *and nature* of Camerfirma bugs is troubling. This is an issue of judgement here, about whether or not the degree of truth to these statements adequately reflects the very risk that continued trust in Camerfirma poses. The sheer volume of bugs do help paint a trendline, which is what Camerfirma is arguing here, but just there's a big difference between y = x + x, y = x * x, and y = x ^ x, there's a big difference in the nature of the incidents, the quality of response, and the (lack of) a meaningful rate of improvement that don't really inspire confidence. Similarly, the risk in removing trust is exceedingly low, which helps show the "risk to current users" (from trusting) versus the "risk of breaking things" (by distrusting) is not a major consideration. I would be curious if folks believe there is evidence that is being overlooked from the Wiki, or believe that there is a different perspective that can be reached from that data, and if they'd like to show how and why they reached that conclusion. I've shared my perspective, but value learning more if others do see things differently. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
