On Monday, September 17, 2018 at 1:18:47 PM UTC-5, Wayne Thayer wrote:
> On Mon, Sep 17, 2018 at 9:43 AM Wayne Thayer wrote:
>
> > Even though the discussion period has ended, Mozilla will continue to
> > consider factual information that is submitted as comments here:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1325532
> >
> > Your concern about "without comment and then get approved" may stem from a
> > misunderstanding of Mozilla's process, as documented here:
> > https://wiki.mozilla.org/CA/Application_Verification A lack of comments
> > indicates that the community is satisfied with the review that was
> > performed on the inclusion request.
> >
> > Finally it seems that your concerns with this request have to do with
> > browser vendors also operating CAs? If so, I think that is a topic that is
> > much broader than this inclusion request. Google already operates as a CA
> > via cross-signing, as do Microsoft and Apple.
> >
> > Correction: Google is already a root CA in Mozilla's program because they
> acquired two roots from GlobalSign, as discussed here:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/1PDQv0GUW_s/oxDWH07VDgAJ
>
> On Mon, Sep 17, 2018 at 8:29 AM jtness--- via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> I am disappointed I didn't see this before the three week comment period,
> >> because this is an incredible disaster. Mozilla is seriously considering
> >> permitting a company with a completely unilateral ability to shut other
> >> Root CAs down (via their market share over Chrome and Android, and that the
> >> CAB has no legal authority to countermand their decisions on what CAs they
> >> trust), to then also be a competitor to these companies which it can
> >> unilaterally remove from the market? This is the sort of world-ending crud
> >> that shouldn't pass through a random Google Group without comment and then
> >> get approved.
> >>
> >>
The risk of any given browser vendor also being a Root CA is small as most
browser vendors do not have the requisite market share to make unilateral
decisions. Google possesses over 60% of the browser market and 80% of the
mobile operating system market. What avenues does Mozilla have to realistically
push back if Google abuses their effective authority over the Internet via
browser share in the CA space? Presumably "Firefox becomes the browser that
can't establish a connection to google.com or gmail.com" is outside of the
realm of realistic scenarios. Neither Apple nor Microsoft has the market share
to summarily decide a CA is no longer in business, Google can.
It would seem to me that Google is already the judge, jury, and executioner of
the public key infrastructure, and they're about to have a strong financial
interest in each CA that is found guilty. Presumably if Google were to
summarily execute another large CA in the future, after launching their own
certificate offering, they would see a large uptick in business.
With regards to your linked discussion about the GlobalSign root acquisition, I
see nothing but more reasons to be concerned. Is there any reason for Google to
have acquired the roots from GlobalSign except to backdoor their way into
already being in Mozilla's trusted store? I admit to being a layman on this
matter, so what exactly is the legitimate case for Google acquiring GlobalSign
roots?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
