On Tue, Jun 10, 2025 at 11:44:34AM +0200, Antonios Chariton wrote: > 1) As there’s no single legal framework under which all CAs operate, I > don’t think Mozilla or any other Trust Store can implement a single > rule that fits everyone.
Counterpoint: they absolutely can, should, and indeed _must_. Special-casing CAs based on the legal behaviour of their applicable jurisdictions is a short path to madness. > What CAs can do is study their jurisdiction and prepare for future > events: for example, amend the Subscriber Agreement and other > documents (Procurement Proposals / Marketing Material / …) to set > expectations accordingly. They're supposed to be doing that already. > If every Subscriber is informed and agrees upon these rules then > perhaps there’s a weaker case here by a Subscriber. "Weaker" does not mean "too weak to sustain a TRO". > Incident Reports can then take into account the degree of preparation > by the CA for such events. That can (and I'm sure does) already happen. At the limits, a CA that takes a sufficient degree of preparation probably won't have to file an incident report at all. > What Trust Stores can do is make the CAs’ cases stronger: after > reviewing this specific TRO, for example, someone may decide that the > cost to the Subscriber is higher than the cost to the CA. If the cost > of the CA is also high, and probably comparable, and the Subscriber > understood and agreed to the expectations, then maybe we can minimize > the grants of such restrictions. That is a side-effect of the insta-distrust sanction I proposed: it gives CAs a clear piece of data they can use to argue that a TRO will be unduly harmful to them. It's not helpful if the order is granted ex parte, but nothing's perfect. > 2) We may be opening up the ecosystem here to more legal issues, which > our governance model may not be able to accommodate: what if a CA gets > a TRO against a Trust Store to keep them in the list? A distrust does not have the same degree of time-sensitivity as a certificate revocation, so a TRO is not a meaningful blocker to distrust. A TRO is typically only useful for a few days/weeks; a hearing on the merits is usually scheduled very quickly after the TRO is issued, at which point the trust store gets to present the evidence that demonstrates they are entirely within their rights to distrust the CA. I would expect such a hearing to go in the favour of the trust store, simply because Actual Lawyers are involved in operating trust stores, and if a trust store _doesn't_ have the ability to manage its own list, there are much bigger problems going on. > As Roman said, I don’t think ignoring the laws and the court system is > the answer anyone wants to see Nobody is proposing ignoring laws and the court system. Rather, we're discussing strategies to protect the integrity of the WebPKI from errant legal decisions. This is no different to a situation in which a court or law-making body requires a CA to issue a certificate in violation of the CA's validation processes. Are you (and Roman) suggesting that, just because a court or law-making body required the certificate issuance, that there's nothing that trust stores can do, and the CA should continue to operate as though nothing had happened? > I also understand that not every CA has the resources to put up a high > quality case in a short amount of time Lack of resources is not be a valid argument against effective CA operation. "We didn't have the money to buy a HSM"... > but there are certainly things I would believe are possible to > mitigate the impact of future events that people can collaboratively > work towards. Then feel free to propose them, if you feel that my options aren't appropriate. > 3) Delayed revocations may also happen because of a CA’s management > decision from someone outside the CA. For example, there are many > large companies that have a CA and also use that CA’s certificates in > their infrastructure. If such a CA misissues and revocation is > required within 24 hours or 7 days, yet operationally it may not be > possible, how do we know that the company’s management won’t crunch > the numbers and find out that n hours of downtime cost more than their > entire CA times the probability of being distrusted? If I remember > correctly, Ryan Sleevi was the one to first bring this up as a risk, > but no action was taken since. Should a company that’s willing to burn > $10M to save e.g. $50M be in a more privileged position? At the limit, there's not a lot that can be done a priori to prevent such events, absent requiring CAs to not issue to any organisation that shares control with the CA. I get the impression that would be a requirement that CAs would not relish. Rather, probably the best lever trust stores can apply is contained in your problem statement: > the numbers and find out that n hours of downtime cost more than their > entire CA times the probability of being distrusted? At present, this calculus comes out very much in favour of "don't revoke", since the probability of being distrusted is so low. If that probability were increased to ~1, the cost of downtime would have to be much higher before it were deemed reasonable to take such an action. Also bear in mind that with p(distrust) ~ 1, the controlling organisation only gets to play that card once -- they're unlikely to get a controlled CA back into trust stores any time soon thereafter. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a131f203-165f-4197-a33c-a7b7f7960a28%40mtasv.net.
