On Wed, Mar 1, 2023 at 7:54 PM Ryan Hurst <ryan.hu...@gmail.com> wrote:
> Kathleen/Ben, > > I have been thinking about the new Concerning Behavior > <https://wiki.mozilla.org/CA/Root_Inclusion_Considerations#Concerning_Behavior> > language being proposed for the Mozilla Root Store Policy and I wanted to > share my thoughts relative to this policy and censorship. > > When discussing CA inclusions, a topic that commonly comes up is the risk > of the applicant violating the privacy of Mozilla's users by enabling > MiTMs. However, there are other concerning behaviors that are not often > discussed, such as the use of certificate issuance and denial as tools for > censorship, community exclusion, and enabling misinformation. > > These behaviors can have far-reaching impacts on Mozilla's customers and > are not aligned with the objectives of Mozilla as I understand them. > > In 2015, Let's Encrypt wrote a blog post on why CAs make poor content > watchdogs <https://letsencrypt.org/2015/10/29/phishing-and-malware.html>. > I believe the points raised in this post are still relevant today, and it > may make sense to add some language to the Concerning Behavior section of > the Root Store Policy to make Mozilla's position on these topics clear. > > For example, we could consider adding the following bullets to the warning > signs section: > > > - CA operators who attempt to act as a content watchdog beyond what is > required by other root programs or governing legal jurisdictions should be > seen as a warning sign of behavior that could lead to censorship and be > incompatible with Mozilas objectives for the root program and its > principles overall. > - CA operators who attempt to act as content watchdogs by denying the > issuance of Internationalized Domain Names (IDNs) for reasons beyond legal > jurisdictional requirements, what is required by other root programs, or > the technical limitations of their certificate issuance systems should be > seen as a warning sign of behavior that could lead to censorship which > would be incompatible with Mozilas objectives for the root program and its > principles overall as it limits access to the internet for non-English > speaking users and may be used as a tool for political or cultural control. > > Silly question but why isn't there more usage of certificate restrictions, e.g. if a CA from a country has some concerns (like SERPRO) it would be much less damaging if they were more limited (e.g. to *.br). > > While this is probably not the exact right wording something similar to > this has the potential to make it clear what Mozilla's position on these > topics is and as a result, strongly discourage CAs from leveraging their > position to support these activities. > > Best regards, > > Ryan Hurst > > > > On Wed, Mar 1, 2023 at 4:46 PM Kathleen Wilson <kwil...@mozilla.com> > wrote: > >> I continue to receive feedback/concerns about the auditor bullet point in >> the "Concerning Behavior >> <https://wiki.mozilla.org/CA/Root_Inclusion_Considerations#Concerning_Behavior>" >> section, so I am attempting to resolve those concerns with the following >> version of that bullet point: >> >> >> - The CA is using an auditing organization (ETSI >> >> <https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications>, >> WebTrust >> >> <https://wiki.mozilla.org/CA/Audit_Statements#Verifying_WebTrust_Auditor_Qualifications>) >> that has not audited other publicly trusted CAs whose root certificates >> are >> included in browser root store programs, and the Auditor >> Qualifications >> >> <https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications> >> indicate that the audit team is inexperienced in auditing CA operations, >> public key infrastructure, trust services or similar information systems. >> - New auditors are allowed under the condition that the CA ensures >> that the Audit Team is lead by third-party specialists or affiliate >> audit >> firms who are experienced in auditing publicly trusted CAs, and this >> information must be provided as part of the Auditor Qualifications. >> >> >> I will appreciate feedback and suggestions on this new text. Does it >> address your concerns? >> >> Also, I am no longer receiving feedback on the rest of the wiki page, >> https://wiki.mozilla.org/CA/Root_Inclusion_Considerations, so I am >> assuming that the rest of the page is solid (i.e. ready to remove the >> "DRAFT" at the top of the page). >> >> Thanks, >> Kathleen >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "dev-security-policy@mozilla.org" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dev-security-policy+unsubscr...@mozilla.org. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwY_j1foAGnqW0atHEx%3DMLLZdPXgx-K5aWXyMFvAMnW-2w%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwY_j1foAGnqW0atHEx%3DMLLZdPXgx-K5aWXyMFvAMnW-2w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) k...@seifried.org -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38Sj2xYrLUq-1oenjK-XFqtwaBJGiEuEUJ%2B3zCge6ORmA%40mail.gmail.com.