It is a little bit up the CA to determine. They know the laws of their jurisdiction and their tolerance for legal risk. If something is questionable legally, thrnCA probably shouldn't issue. ________________________________ From: Ryan Hurst <ryan.hu...@gmail.com> Sent: Wednesday, March 1, 2023 9:16:38 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> Subject: Re: DRAFT: Root Inclusion Considerations
I do believe it’s appropriate for there to be language to accommodate what is required by law. Such language would accomate legal obligations like sanctions should they be relevant. The langauge like you propose leaves it to the CA to determine if it’s questionable. This is very problematic given the realities of this ecosystem. The purpose of the WebPKI is to facilitate delegated TOFU not content or name policing. CAs do not have access to the content served to the relying party and Mozilla use safe browsing and other motivations focused on content and names. Expanding the scope to more than that without a clear mandate or standard is too dangerous given the global and distributed nature of this ecosystem. Ryan Hurst On Wed, Mar 1, 2023 at 8:10 PM Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> wrote: I think this approach is dangerous too though. Is it censorship if a CA won’t issue to Russian entities? What about to other government entities? If Mozilla goes down this route, the policy should include some standard where a ca can exclude entities where there is there is a risk of potentially facilitating of legally questionable activity. ________________________________ From: dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org> <dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>> on behalf of Ryan Hurst <ryan.hu...@gmail.com<mailto:ryan.hu...@gmail.com>> Sent: Wednesday, March 1, 2023 7:54:31 PM To: Kathleen Wilson <kwil...@mozilla.com<mailto:kwil...@mozilla.com>> Cc: dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org> <dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>> Subject: Re: DRAFT: Root Inclusion Considerations Kathleen/Ben, I have been thinking about the new Concerning Behavior<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Root_Inclusion_Considerations%23Concerning_Behavior___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OmNhNGQ6MDJmNDRlYjc5ZWFhNWVlNzQxMjFlYTM4M2U4MGJjOTQ3MDNkMjdmNGZiOWFmODM1NmQ5YTNiZGM5YWFiZTJjODpoOlQ> language being proposed for the Mozilla Root Store Policy and I wanted to share my thoughts relative to this policy and censorship. When discussing CA inclusions, a topic that commonly comes up is the risk of the applicant violating the privacy of Mozilla's users by enabling MiTMs. However, there are other concerning behaviors that are not often discussed, such as the use of certificate issuance and denial as tools for censorship, community exclusion, and enabling misinformation. These behaviors can have far-reaching impacts on Mozilla's customers and are not aligned with the objectives of Mozilla as I understand them. In 2015, Let's Encrypt wrote a blog post on why CAs make poor content watchdogs<https://url.avanan.click/v2/___https://letsencrypt.org/2015/10/29/phishing-and-malware.html___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjkxNWY6YzM1Y2M4Y2U4MTgzNmQ2N2UwZDVkYmRlOTJiODJmYzQ3NzdiNTI5MDI0YzAzZWEyZDVhODFiOGNlZjNkNTNkNDpoOlQ>. I believe the points raised in this post are still relevant today, and it may make sense to add some language to the Concerning Behavior section of the Root Store Policy to make Mozilla's position on these topics clear. For example, we could consider adding the following bullets to the warning signs section: * CA operators who attempt to act as a content watchdog beyond what is required by other root programs or governing legal jurisdictions should be seen as a warning sign of behavior that could lead to censorship and be incompatible with Mozilas objectives for the root program and its principles overall. * CA operators who attempt to act as content watchdogs by denying the issuance of Internationalized Domain Names (IDNs) for reasons beyond legal jurisdictional requirements, what is required by other root programs, or the technical limitations of their certificate issuance systems should be seen as a warning sign of behavior that could lead to censorship which would be incompatible with Mozilas objectives for the root program and its principles overall as it limits access to the internet for non-English speaking users and may be used as a tool for political or cultural control. While this is probably not the exact right wording something similar to this has the potential to make it clear what Mozilla's position on these topics is and as a result, strongly discourage CAs from leveraging their position to support these activities. Best regards, Ryan Hurst On Wed, Mar 1, 2023 at 4:46 PM Kathleen Wilson <kwil...@mozilla.com<mailto:kwil...@mozilla.com>> wrote: I continue to receive feedback/concerns about the auditor bullet point in the "Concerning Behavior<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Root_Inclusion_Considerations%23Concerning_Behavior___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjI4NWY6MGUyYzhlOTQ1ZDUwOTBjYjg4ZmQ5NjViNTgwZDNhNDJkMDY2NDRjN2FiYmE4ZGRlMDFkODA4M2U3NjljYjM1NjpoOlQ>" section, so I am attempting to resolve those concerns with the following version of that bullet point: * The CA is using an auditing organization (ETSI<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Audit_Statements%23Verifying_ETSI_Auditor_Qualifications___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjAxYjM6MzRhYTc1Njc3OWJlNjYxYTUxNmExNjE1MDAzZmI5OTEwZWFiYjllNjFiYmE5MjFmY2I4MTM0YWIyNTg4NjA5NzpoOlQ>, WebTrust<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Audit_Statements%23Verifying_WebTrust_Auditor_Qualifications___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjZhY2E6MmEzNGUxMjRmNjVlYjEwMzgyODI1ZWM5ZTcwMTBhZjhiMTI4NjI0MzA1OTRlZDUzZTFjOGVjNmVjNDkyM2M2YTpoOlQ>) that has not audited other publicly trusted CAs whose root certificates are included in browser root store programs, and the Auditor Qualifications<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Audit_Statements%23Providing_Auditor_Qualifications___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OmY4ZWU6YjdjYzkwNTg3N2U0Y2Q0NTM5N2NlYzJmMzkxNzIyNTJhYjNjNTU0YWQ3OTA5YzRiZjkxZDQ4YmUwODllMWVkMzpoOlQ> indicate that the audit team is inexperienced in auditing CA operations, public key infrastructure, trust services or similar information systems. * New auditors are allowed under the condition that the CA ensures that the Audit Team is lead by third-party specialists or affiliate audit firms who are experienced in auditing publicly trusted CAs, and this information must be provided as part of the Auditor Qualifications. I will appreciate feedback and suggestions on this new text. Does it address your concerns? Also, I am no longer receiving feedback on the rest of the wiki page, https://wiki.mozilla.org/CA/Root_Inclusion_Considerations<https://url.avanan.click/v2/___https://wiki.mozilla.org/CA/Root_Inclusion_Considerations___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjVlMDc6MjkyZmNiMjdiNzQzN2JjNzdhYWQ1M2Y3NDI4ODI5ODVjY2JkMDBkN2EyYjdlNDYxNzQ3MTdjNmUwNzczZGU1MjpoOlQ>, so I am assuming that the rest of the page is solid (i.e. ready to remove the "DRAFT" at the top of the page). Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org<https://url.avanan.click/v2/___https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/164d74b3-2371-4d79-815c-2bcd466ace00n%40mozilla.org?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OmVmMjM6ZGFkOTk0MjU3OThkZDcxYmE1ZjM0YmNmYzM2NjVkNmMzZGJlOWMxOGFmOGE3ODhlYTZjNzdhMTY2ZjA4NjZlZjpoOlQ>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org<mailto:dev-security-policy@mozilla.org>" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org<mailto:dev-security-policy+unsubscr...@mozilla.org>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwY_j1foAGnqW0atHEx%3DMLLZdPXgx-K5aWXyMFvAMnW-2w%40mail.gmail.com<https://url.avanan.click/v2/___https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwY_j1foAGnqW0atHEx%3DMLLZdPXgx-K5aWXyMFvAMnW-2w%40mail.gmail.com?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzo3YjI3MDBkNWJiZTQ3OGUyNTRmYjY5M2I0ZmZmMzk1MDo2OjRhM2Q6YTE2OGJjYmZjZWM5OTU2NjI5NjQ4NTc3YWE0MDRmYTJiZmMyMTIxZWQxNjc0M2E1Y2FmMjU3ZmE1ODFlMGM0MzpoOlQ>. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB2600ACD8B8F6C1B09D4B13208EB29%40BYAPR14MB2600.namprd14.prod.outlook.com.