On Mon, 25 Jan 2021 22:21:31 -0700 Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Camerfirma has responded to the list of issues by providing a Remediation > Plan, > https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing, > with a commitment to align Camerfirma to the highest level of standards of > the Mozilla community. For years, Camerfirma has promised to improve but failed to deliver. In 2017, they promised technical controls over DNS names <https://bugzilla.mozilla.org/show_bug.cgi?id=1390977#c30> yet in 2019 they misissued for an unregistered domain name because they "did not have the automatic controls yet" <https://bugzilla.mozilla.org/show_bug.cgi?id=1672423>. In 2017, they promised linting of all certificates, and are promising it again in their latest remediation plan. In 2019 they assured Mozilla that they had contractual control over their sub-CAs including mandatory revocation and use of a central lint service <https://bugzilla.mozilla.org/show_bug.cgi?id=1556806#c9>. Yet their sub-CA Intesa Sanpaolo continued to delay revoking certificates <https://bugzilla.mozilla.org/show_bug.cgi?id=1668331> that were misissued with invalid stateOrProvinceNames <https://bugzilla.mozilla.org/show_bug.cgi?id=1667430>. Now Camerfirma is once again proposing to use contractual controls to remediate their sub-CAs' problems. Given Camerfirma's past behavior, why should Mozilla trust Camerfirma to deliver on their latest remediation plan? Mozilla's users should not have to assume the risk of trusting Camerfirma while we wait to see if this time, Camerfirma finally becomes a competent and trustworthy CA. Instead of making Mozilla users assume the risk, Camerfirma should be distrusted now. When Camerfirma applies for re-inclusion, Mozilla can evaluate whether the remediation plan has worked. On Tue, 26 Jan 2021 16:01:31 -0700 Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > First, it has been Mozilla's long-standing position that, "We believe > that the best approach to safeguarding secure browsing is to work with CAs > as partners, to foster open and frank communication, and to be diligent > in looking for ways to keep our users safe." So, expect that we will > take a well-thought and deliberate approach to this issue with Camerfirma. The other part of this is "participation in Mozilla's CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe." Mozilla has been working with Camerfirma since 2017 through the many compliance bugs in Bugzilla. In several cases, Camerfirma's communications were lackluster or sluggish rather than "open and frank.", e.g.: - Failure to disclose misissuance that they were aware of: <https://bugzilla.mozilla.org/show_bug.cgi?id=1672409> - 4 week delay publishing incident report: <https://bugzilla.mozilla.org/show_bug.cgi?id=1478933> - 2 month delay publishing incident report: <https://bugzilla.mozilla.org/show_bug.cgi?id=1431164> - Failure to provide timely updates or explain reason for remediation delays: <https://bugzilla.mozilla.org/show_bug.cgi?id=1556806> Mozilla's years-long effort to work with Camerfirma has not produced sufficient improvement. It's now time for Mozilla to exercise its discretion and distrust Camerfirma to keep its users safe. > So, expect that we will take a well-thought and deliberate approach to this > issue with Camerfirma. As a point of comparison, the "Summary of Camerfirma's Compliance Issues" thread has received 20 comments from 12 distinct community-members which are overwhelmingly critical of Camerfirma, including several comments calling explicitly for distrust. This new thread has attracted further critical comments. The most similar previous incidents (small CAs with a large number of compliance problems) were PROCERT and Certinomis. Those discussion periods lasted just 14 and 30 days respectively, and fewer people commented on them compared to the Camerfirma discussion. The Camerfirma discussion has gone on for nearly 8 weeks at this point. Camerfirma has received more deliberation than similar CAs did, and it's inconsistent for Mozilla to prolong the discussion further. > So there is another issue that needs to be considered, if distrust is > chosen, whether to remove just the websites trust bit or to take action > against all 4 roots, and if so, on what basis? Like Wayne, I don't believe we have any reason to trust that Camerfirma manages S/MIME certificate issuance any better than TLS certificate issuance. Mozilla should distrust all Camerfirma roots so that both Firefox and Thunderbird users are protected. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
