Well there is CA-Browser forum and then there is this: https://wiki.mozilla.org/CA:Communications#September_8.2C_2011
By my reading, Gerv and Kathleen should now know the answer to that question. Though whether they can share it with us is another matter. I don't own the speaking stick on the other part of your proposal. But it seems sensible enough. I am pretty sure that none of the information that is commercially valuable isn't being captured anyway. On Fri, Nov 4, 2011 at 8:13 AM, Tom Ritter <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 11/4/2011 12:47 AM, Phillip Hallam-Baker wrote: > > I can't give a figure right now. But we should be able to get a figure > once the minimum criteria for DV issue are applied. > > > > It should be somewhere between 30 and 50 entities performing the domain > validation part of the criteria after the dust settles. > > > > Then there is a much larger number of resellers some of which perform > some validation steps for OV validation but do not have keys and do not > perform the domain name checking. > > This I want to capture and discuss. > > Picking an audit at random from > http://www.mozilla.org/projects/security/certs/included/ I don't see any > listing of identifiers for Signing Certificates - either the ultra-root, > the one they use in practice, or the creepy little ones we're arguing > about. A skim through the latest CAB Draft > http://www.cabforum.org/Baseline_Requirements_Draft_35.pdf (it has track > changes on? it's been updated? when?) doesn't say anything about an audit > listing all Signing Certificates. > > It should. Because otherwise what you said isn't true. We _still_ won't > be able to figure out what the correct figure of independent entities is, > because we'll find a Signing Certificate, ask the Signer about it, and > they'll give canned responses. There's no guarantee that the auditor knew > about that Signing Certificate, that it's on-site, under there control, or > what. > > Now, this could become the CA-CA, where the Auditor signs the Signing > Certificate, but then Auditors keys go into browsers (or they're worthless > and easily faked) or it starts looking like a Web of Trust - messy. Not > interested. > > I am interested in being able to whitelist Signing Certificates using > Audit Reports as a source. Ideally, browsers would do this. Less ideally > - they won't, and someone will make a browser plugin or Convergence notary > that does. > > But we're back to the same scenario: CA gets hacked, Signing Certificate > produced and delivered to bad guys. Eventually it's found in the wild > thanks to cert pinning, and shitstorm ensues. CA can't be feasibly removed > from root because it would break 25% of the internet* so the rogue signing > cert is blacklisted. > > So, I know this isn't the perfect place for CAB Forum Discussion, but: > Audit Reports being required to list the certificates protected by the > controls they audited? Thoughts? > > - -tom > > > * Either CA is removed from immediately, internet breaks for people; CA is > removed from root after 6 month delay, in which case we're taking punitive > active which is good, but not protecting people from shitty CA for 6 months > which is bad; or CA is not removed. Auditor may or may not be distrusted. > -----BEGIN PGP SIGNATURE----- > > iEYEARECAAYFAk6z1swACgkQJZJIJEzU09uECwCfUmaawowZ7g1sXfuEhW5obg/q > SWMAnRRvTIl/GQaxpvNASU2CCxp4Plfn > =zO8K > -----END PGP SIGNATURE----- > -- Website: http://hallambaker.com/
