On Sun, Feb 26, 2023 at 2:22 AM Ryan Hurst <ryan.hu...@gmail.com> wrote:
> > This thread and associated bug have been silent for an > uncharacteristically long time, and I am curious as to when this issue will > be closed. > > > Furthermore, I would like to understand what changes will be put into > place to clarify appropriate incident handling behavior. It is important > that Mozilla establishes a clear protocol for handling security incidents > and communicates this effectively to all participants. > > > I am also curious in how Mozilla will choose to interpret the facts that > have been made available. The way in which this incident is handled will > establish a precedent for future security incidents, and it is important > that Mozilla approaches this with a clear and consistent stance. > > > Ryan Hurst > So my take on this is: we're still in the 2000 era of "apply to be a root ca, get in by default, stay in by default", that is to say, if you have all the paperwork and don't do something terrible, well you're good to go. Witness: SERPRO issued numerous malformed/bad certificates indicating a lack of the most basic controls and voluntarily withdrew their application and can re-apply later. BJCA.cn has links to what appears to be spyware, but has said "it's fine" and they have been approved: This is notice that I am closing public discussion and that I am recommending that we approve BJCA’s inclusion request. This begins a 7-day "last call" period for any final objections. Also no mention or suggestion of limiting them to e.g. .cn for example. TRUSTCOR not only crossed some lines but then publicly made statements that were later found to be false, I'm guessing had they "fallen on their sword" and apologized they'd still be a CA. Mailing list participation is another good indicator that nobody really cares, the same 20-30 people are posting, on issues that affect the entire world. The reality is that nobody really cares, nothing that bad has happened (at least in the western world, ignoring the spyware and dead journalists, and repression in various countries). I have a briefing on this and it boils down to "if you want to be especially paranoid do what VISA does ( https://developer.visa.com/pages/trusted_certifying_authorities), there's no point in trying to prevent bad CAs from getting in or staying in". > On Monday, November 28, 2022 at 2:52:47 AM UTC-8 Peter Gutmann wrote: > >> Ian Carroll <i...@ian.sh> writes: >> >> >There are many statements about M of N, HSM access, etc which do not >> appear >> >to be relevant to this issue. >> >> That's not specific to e-Tughra though, that's standard for CAs where what >> gets audited is all the fancy security mechanisms around the CA's private >> key(s) and what barely, or not at all, gets audited is the various RAs >> that >> pull the CA's strings. >> >> Years ago I saw a cartoon lampooning a certain country's defence policy >> which >> had lifeguard-style flags set up on a piece of open ground and a sign >> between >> them saying "Please attack between the flags". With CA's it'd be "please >> audit between the flags". >> >> Not defending or criticising e-Tughra, just pointing out that this isn't >> their >> fault, it's How CAs Are Done. >> >> Peter. >> >> -- Kurt Seifried (He/Him) k...@seifried.org -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-JgfmFu_9H4Bic6eC2ZnKA8wSG5aewyUH06CC49CjSkA%40mail.gmail.com.
