I’d like to add a few points to this discussion that stem from things already mentioned here by Ryan, Seo, Roman, Matt, et al:
1) As there’s no single legal framework under which all CAs operate, I don’t think Mozilla or any other Trust Store can implement a single rule that fits everyone. However: What CAs can do is study their jurisdiction and prepare for future events: for example, amend the Subscriber Agreement and other documents (Procurement Proposals / Marketing Material / …) to set expectations accordingly. If every Subscriber is informed and agrees upon these rules then perhaps there’s a weaker case here by a Subscriber. In many places it would become their failure that they ask others to pay for, which looks bad. Incident Reports can then take into account the degree of preparation by the CA for such events. Someone that took reasonable precautions but sat before a judge having a bad day should not be treated equally as someone that chose willingly to remain open to this risk (or even encouraged their customers to request TROs against them(!)) to profit from it. What Trust Stores can do is make the CAs’ cases stronger: after reviewing this specific TRO, for example, someone may decide that the cost to the Subscriber is higher than the cost to the CA. If the cost of the CA is also high, and probably comparable, and the Subscriber understood and agreed to the expectations, then maybe we can minimize the grants of such restrictions. 2) We may be opening up the ecosystem here to more legal issues, which our governance model may not be able to accommodate: what if a CA gets a TRO against a Trust Store to keep them in the list? What if a restriction is granted in a single jurisdiction? Can a CA only revoke a certificate within a US state or within Germany? Can a Browser remove a CA only in a specific location? Or only keep it as unrevoked / trusted just there? As Roman said, I don’t think ignoring the laws and the court system is the answer anyone wants to see, and I also understand that not every CA has the resources to put up a high quality case in a short amount of time, but there are certainly things I would believe are possible to mitigate the impact of future events that people can collaboratively work towards. 3) Delayed revocations may also happen because of a CA’s management decision from someone outside the CA. For example, there are many large companies that have a CA and also use that CA’s certificates in their infrastructure. If such a CA misissues and revocation is required within 24 hours or 7 days, yet operationally it may not be possible, how do we know that the company’s management won’t crunch the numbers and find out that n hours of downtime cost more than their entire CA times the probability of being distrusted? If I remember correctly, Ryan Sleevi was the one to first bring this up as a risk, but no action was taken since. Should a company that’s willing to burn $10M to save e.g. $50M be in a more privileged position? Antonis > On 10 Jun 2025, at 10:19, Matt Palmer <[email protected]> wrote: > > On Tue, Jun 10, 2025 at 10:20:26AM +0300, 'Dimitris Zacharopoulos' via > [email protected] wrote: >> In case people have missed it, this particular topic was discussed at the >> last CA/B Forum F2F meeting >> <https://cabforum.org/2025/03/27/minutes-of-the-f2f-64-meeting-in-tokyo-japan-forum-level-march-25-26-2025/#panel-qa-with-all-guest-speakers>. >> I believe you will find useful information about the TRO process, especially >> in the United States, in Brian Holland's presentation >> <https://cabforum.org/2025/03/27/minutes-of-the-f2f-64-meeting-in-tokyo-japan-forum-level-march-25-26-2025/1-CABF%20-%20Dealing%20with%20TROs%2020250325.pdf>. > > Hey look, I'm CABF-famous! (I don't know that I've ever been quoted in > a presentation before) > >> One thing I recall from that discussion is that when a TRO is dismissed, the >> reasons of that dismissal are documented, especially if the TRO was granted >> on wrong basis, making it unlikely that another court will issue a TRO with >> the same justification as the previous one that got dismissed. > > Your recollection is at odds with the minutes you linked to; "Brian" > (presumably Brian Holland, although there is ambiguity) is recorded to > have said "*Some* opinions are published" (emphasis added). That same > point also says that "a judge *might* get mad enough that they talk to > the other judges" (again, emphasis added). In other words, there's > still the possibility that a TRO might still be granted, and that's even > before we consider the many and varied jurisdictions that might be used. > >> The fact that a TRO was issued to prevent certificates from being revoked >> doesn't necessarily mean that it will be an event that can be reproduced, >> especially if a court later reviews the case and dismisses the TRO after >> considering all the facts. > > Well, if there's never another TRO incident, then there need never be > another delayed revocation, and the "delayed revocation == > insta-distrust" rule need never be invoked, which means there's no > reason not to put it in the policy. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/addbf1e4-ccdd-4002-bfb3-8ba23ed9cbbc%40mtasv.net. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/016E8986-D29A-4ED7-8EDF-539E04569713%40gmail.com.
