Would a "SHOULD" work better? Rather than making it a requirement, what if
it were a recommendation? Would that give CAs the needed flexibility?
On Wed, Oct 27, 2021 at 5:08 AM Pedro Fuentes <pfuente...@gmail.com> wrote:
> Hello,
>
> If we look at the Mozilla Policy, related to inclusion decisions, we see:
> "We reserve the right to not include certificates from a particular CA in
> our root program. This includes (but is not limited to) cases where we
> believe that a CA has caused undue risks to users’ security, e.g. by
> knowingly issuing certificates without the knowledge of the entities whose
> information is referenced in those certificates ('MITM certificates').
> Mozilla is under no obligation to explain the reasoning behind any
> inclusion decision."
>
> This seems to add a certain level of arbitrariness, and my question is...
> how Mozilla is considering the "non-discriminatory" conduct to these
> aspects of the policy. Should we expect some changes in that respect?
>
> OK, I'm forcing the situation here, but this is what I mean... while it's
> obvious that a CA should not do any discriminatory practice based "race,
> ethnicity, gender, age, and plenty of other reasons", I just also think
> that the CAs should have also the possibility to reserve certain rights of
> not making business with an individual or company... So in general I'm not
> super-comfortable with a too broad approach here.
>
> El miércoles, 27 de octubre de 2021 a las 9:24:25 UTC+2,
> rufus.b...@siemens.com escribió:
>
>> Honestly spoken, I still like the proposed language based on ETSI. I
>> think it balances the duties of both parties (CAs and (potential)
>> subscribers) fairly. If we look into the hard requirements of the proposed
>> language it has three duties for the CA:
>>
>> 1. They need to have “non-discriminatory” practices
>> 2. They need to describe in their “terms and condition” with whom
>> they do business
>> 3. and they have to do business with everybody who meets the
>> requirements
>>
>>
>>
>> Regarding 1: I understand this as something internal of the CA. This will
>> need to be checked by the Auditor in the annual compliance audit and
>> probably it will be discussed with the auditor every year again. But isn’t
>> this exactly what we always need to do? If we wouldn’t always reflect on
>> our understanding “non-discriminatory” probably the Jim-Crow-Laws would
>> still be in place in the US
>>
>>
>>
>> Regarding 2) This is more or less a one-time effort. The CA describes
>> their target audience and with whom they don’t do business
>>
>>
>>
>> Regarding 3) Shouldn’t this be the normal behavior? In Germany we even
>> have a law (Allgemeines Gleichbehandlungsgesetz – Wikipedia
>> <https://de.wikipedia.org/wiki/Allgemeines_Gleichbehandlungsgesetz>
>>
>> - sorry no English translation of this article available) that
>> forbids discriminatory practices if they are based on race, ethnicity,
>> gender, age, and plenty of other reasons
>>
>>
>>
>> /Rufus
>>
>>
>>
>> *Von: *dev-secur...@mozilla.org <dev-secur...@mozilla.org> im Auftrag
>> von Ben Wilson <bwi...@mozilla.com>
>> *Datum: *Mittwoch, 27. Oktober 2021 um 05:26
>> *An: *dev-secur...@mozilla.org <dev-secur...@mozilla.org>
>> *Betreff: *Re: Policy 2.8: MRSP Issue #129: Require non-discriminatory
>> CA conduct
>>
>> The intent of the proposal was to ensure that CAs act fairly by applying
>> objective, stated criteria to decisions (1) to not issue a certificate or
>> (2) to revoke a certificate, but now I think that trying to prevent
>> arbitrary refusals/revocations with policy language might raise more
>> problems than we would be able to solve with any language we could adopt.
>> However, I am still open to suggestions. Do any of these concepts resonate
>> as satisfactory alternatives to "non-discriminatory" to anybody: unbiased,
>> non-arbitrary, objective, impartial, reasoned, justified, rational, or
>> variations thereof? Can something be written that would meet the intent
>> stated above without the need to interpret it repeatedly on a case-by-case
>> basis for CAs in the future?
>>
>> Thanks,
>>
>> Ben
>>
>>
>>
>> On Tue, Oct 26, 2021 at 8:14 AM Josh Aas <jo...@letsencrypt.org> wrote:
>>
>> I think it would be helpful to have more clarity on what behavior this
>> proposal is intended to prevent. With examples, if possible. It might
>> make it easier to understand if anything ought to be done, and if so,
>> what language would be most appropriate.
>>
>> On Tue, Oct 19, 2021 at 4:54 PM Ben Wilson <bwi...@mozilla.com> wrote:
>> >
>> > As an initial edit, I am proposing that we add the following language
>> as a new subsection 6 to MRSP section 2.1 - "[CAs SHALL] provide services
>> on a non-discriminatory basis to all applicants who meet the requirements
>> and agree to abide by their obligations as specified in the CA's terms and
>> conditions". See
>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/fab61408608feed365a9446ac47560a34c06cf85
>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fpkipolicy%2Fcommit%2Ffab61408608feed365a9446ac47560a34c06cf85&data=04%7C01%7Crufus.buschart%40siemens.com%7Cdacd98614a64468c766e08d998f98bc0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637709019828112932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KzCNXr5Up8rg%2FVaSRSxF2J%2Bth29553Kax6TBdbOWe1Y%3D&reserved=0>
>> >
>> > On Thu, Oct 7, 2021 at 6:06 PM Ben Wilson <bwi...@mozilla.com> wrote:
>> >>
>> >> All,
>> >>
>> >> This email is the first in a series of discussions concerning the next
>> version of the Mozilla Root Store Policy (MSRP), version 2.8, to be
>> published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8
>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fpkipolicy%2Flabels%2F2.8&data=04%7C01%7Crufus.buschart%40siemens.com%7Cdacd98614a64468c766e08d998f98bc0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637709019828122886%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KrAvbOJ6DjF373V5Q3kuhwU%2BBBCa%2B%2F8R7WN47fLNDJ8%3D&reserved=0>
>> )
>> >>
>> >> Issue #129 in GitHub proposes that we add a policy of
>> non-discrimination to the MRSP.
>> >>
>> >> This particular issue arose from discussions of whether CAs should be
>> allowed to arbitrarily refuse to issue or to revoke certificates. (The
>> situation involved an EV certificate for Stripe, Inc., of Kentucky,
>> https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ
>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fg%2Fmozilla.dev.security.policy%2Fc%2FNjMmyA6MxN0%2Fm%2FasxTGD3dCAAJ&data=04%7C01%7Crufus.buschart%40siemens.com%7Cdacd98614a64468c766e08d998f98bc0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637709019828132836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jKzMo2m7kFy2A%2Bn%2BxgkvLFXamygh4r%2Fp0qrXs6vb9Kc%3D&reserved=0>).
>> Many of you argued that CAs should objectively and non-arbitrarily apply
>> the issuance and revocation standards of the CA/Browser Forum. The full
>> discussion can be read in the email thread referenced above, so I'll forego
>> any attempt to recap.
>> >>
>> >> Potential policy language can be paraphrased from the suggestion made
>> in Issue #129, which was to base language on ETSI 319 401--"Practices under
>> which the CA operates SHALL be non-discriminatory. The CA SHALL make its
>> services accessible to all applicants who meet the requirements and agree
>> to abide by their obligations as specified in the CA's terms and
>> conditions." Alternative wording might be something like, "Decisions not to
>> issue or to revoke a certificate should be based on the unbiased
>> application of the CA/Browser Forum's requirements using the objective
>> criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s
>> issuance and revocation requirements in a non-arbitrary manner."
>> >> Is a variation of the language above sufficient? What do you suggest
>> as language? Should it be inserted somewhere in section 2 of the MRSP?
>> >>
>> >> Thoughts?
>> >>
>> >> Thanks,
>> >>
>> >> Ben
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "dev-secur...@mozilla.org" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to dev-security-po...@mozilla.org.
>> > To view this discussion on the web visit
>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsOaZP88JXg5qP%2BGjZoAvc0n4_Y2Y%2B63KF94h2OoTDDQ%40mail.gmail.com
>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtabsOaZP88JXg5qP%252BGjZoAvc0n4_Y2Y%252B63KF94h2OoTDDQ%2540mail.gmail.com&data=04%7C01%7Crufus.buschart%40siemens.com%7Cdacd98614a64468c766e08d998f98bc0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637709019828132836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VdoOEIDZXS%2FmZx8PflKkCZhYUKZ5OGQ2AHO4hQVycXs%3D&reserved=0>
>> .
>>
>>
>>
>> --
>> Josh Aas
>> Executive Director
>> Internet Security Research Group
>> Let's Encrypt: A Free, Automated, and Open CA
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "dev-secur...@mozilla.org" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to dev-security-po...@mozilla.org
>>
>> .
>> To view this discussion on the web visit
>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa_8Wk4Gs97udUDom%3DzjcQxH-kKKEV3zFwmW%2BiPTxps9Q%40mail.gmail.com
>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaa_8Wk4Gs97udUDom%253DzjcQxH-kKKEV3zFwmW%252BiPTxps9Q%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crufus.buschart%40siemens.com%7Cdacd98614a64468c766e08d998f98bc0%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637709019828142799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LQX0yzVOyUE6%2Bp%2B%2FwvZ%2FqXoORp1ZPWvEMnrfqD0969A%3D&reserved=0>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZMX--kLd8NrZw_yOcJgxYVc7kLGvBgaEsyaD4c5CfwqA%40mail.gmail.com.
