Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On 13/02/17 16:18, Peter Bowen wrote: > In addition to updating it to follow formal policy language, I would > suggest adding it directly to the policy. As it stands today there > are 79 pages in the wiki starting with "CA:". It simply isn't > possible to know which ones are effectively part of the policy and > which are other random things. That's a fair point, and something I am slowly working on fixing. The new CCADB policy will clean up some of this. > I realize building and maintaining > long policies is time consuming, but it is important to be clear. CAs > are routinely called out for unclear or incomplete CPs and CPSes, so I > think it is fair to ask Browsers to have clear and complete trust > store policies. Fair point. To be more precise: the current requirement is anchored in the sentence(s) in the policy which request disclosure of company ownership changes. A total lack of disclosure would be treated seriously. A disclosure which didn't meet Kathleen's document exactly would be treated less so. I agree that having multiple "severities" of policy is not ideal. My current roadmap, FWIW, is: * Finish policy 2.4 (ideally by the end of this month) * Help Kathleen with a CA Communication about it and other current matters * Reorganise 2.4; issue 2.4.1 with no material changes * Think about 2.5, which might include this improvement. I have filed: https://github.com/mozilla/pkipolicy/issues/57 about cleaning up this document. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On Mon, Feb 13, 2017 at 4:14 AM, Gervase Markham via dev-security-policy wrote: > On 10/02/17 12:40, Inigo Barreira wrote: >> I see many "should" in this link. Basically those indicating "should notify >> Mozilla" and "should follow the physical relocation section". > > It may be that this document does need redoing in formal policy > language. In the mean time, anyone uncertain about its meaning should > ask Kathleen. Gerv, In addition to updating it to follow formal policy language, I would suggest adding it directly to the policy. As it stands today there are 79 pages in the wiki starting with "CA:". It simply isn't possible to know which ones are effectively part of the policy and which are other random things. I realize building and maintaining long policies is time consuming, but it is important to be clear. CAs are routinely called out for unclear or incomplete CPs and CPSes, so I think it is fair to ask Browsers to have clear and complete trust store policies. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
Yes, I know what happened but it´s not what the document says. Unless there´s another document, it seems to me that you haven´t acted according to what this page says. If I understand correcly, a should is a conditional and then it´s not a requirement. Furthermore there´s no indication on the consequences if you don´t do it, at least in this document. Maybe I´m missing some others, for sure, but i´d like to have the full picture. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy Sent: lunes, 13 de febrero de 2017 13:15 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots) Hi Inigo. On 10/02/17 12:40, Inigo Barreira wrote: > I see many "should" in this link. Basically those indicating "should > notify Mozilla" and "should follow the physical relocation section". It may be that this document does need redoing in formal policy language. In the mean time, anyone uncertain about its meaning should ask Kathleen. > What does it happen if you don´t notify Mozilla? Well, this was a factor in our dis-trust of WoSign and StartCom, so I guess the answer is "we take it seriously" :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
Hi Inigo. On 10/02/17 12:40, Inigo Barreira wrote: > I see many "should" in this link. Basically those indicating "should notify > Mozilla" and "should follow the physical relocation section". It may be that this document does need redoing in formal policy language. In the mean time, anyone uncertain about its meaning should ask Kathleen. > What does it happen if you don´t notify Mozilla? Well, this was a factor in our dis-trust of WoSign and StartCom, so I guess the answer is "we take it seriously" :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
Gerv, I see many "should" in this link. Basically those indicating "should notify Mozilla" and "should follow the physical relocation section". But in physical relocation and personnel changes sections it seems to me there´s a contradiction because there are some must. Can you explain the differences? According to the above mentioened there´s a should, so you´re able to not follow what it´s indicated in the following ones, then the must does not take effect, is this correct? What does it happen if you don´t notify Mozilla? Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy Sent: viernes, 10 de febrero de 2017 10:48 To: Richard Wang ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots) On 10/02/17 06:15, Richard Wang wrote: > I think Mozilla should have a very clear policy for: > (1) If a company that not a public trusted CA acquired a trusted root key, what the company must do? > (2) If a company is a public trusted CA that acquired a trusted root key, what the company must do? > (3) If a company is a public trusted CA, but distrusted by Mozilla, this company acquired a trusted root key, what the company must do? We do: https://wiki.mozilla.org/CA:RootTransferPolicy . Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On 10/02/17 05:10, Peter Bowen wrote: > On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via >> A) The date Google took control of the GlobalSign roots >> B) The date Google publicly announced GTS >> >> you will see there's quite a big delta. If you assume Google told >> Mozilla about event A) before it happened, then you can see the problem. > > Google says they took control on 11 August 2016. So that's date A). > On 19 October 2016, Google publicly stated "Update on the Google PKI: > new roots were generated and web trust audits were performed, the > report on this is forthcoming," > (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google) Then you can consider this as Date B) :-) > I appreciate the business realities of pre-disclosure, but that is not > the case here. There is no excuse for having taken control of > existing roots and not disclosing such once they disclosed that they > are intending to become a root CA. This may or may not be what people think the policy _should_ be, but the policy currently _is_ that disclosures of ownership change do not have to be public. Mozilla does not require public disclosure of change of ownership at any time. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On 10/02/17 06:15, Richard Wang wrote: > I think Mozilla should have a very clear policy for: > (1) If a company that not a public trusted CA acquired a trusted root key, > what the company must do? > (2) If a company is a public trusted CA that acquired a trusted root key, > what the company must do? > (3) If a company is a public trusted CA, but distrusted by Mozilla, this > company acquired a trusted root key, what the company must do? We do: https://wiki.mozilla.org/CA:RootTransferPolicy . Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
I think Mozilla should have a very clear policy for: (1) If a company that not a public trusted CA acquired a trusted root key, what the company must do? (2) If a company is a public trusted CA that acquired a trusted root key, what the company must do? (3) If a company is a public trusted CA, but distrusted by Mozilla, this company acquired a trusted root key, what the company must do? Thanks. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Peter Bowen via dev-security-policy Sent: Friday, February 10, 2017 1:10 PM To: Gervase Markham Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots) On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so >> that it *does* require public disclosure, or are there convincing >> reasons not to? At first glance, it seems like 'guiding' CAs towards >> additional transparency in the CA market/industry/... might be >> helpful to people outside Mozilla's root program itself. > > This would require CAs and companies to disclose major product plans > publicly well in advance of the time they would normally disclose them. > I won't dig out the dates myself, or check the emails, but if you look > for the following dates from publicly-available information: > > A) The date Google took control of the GlobalSign roots > B) The date Google publicly announced GTS > > you will see there's quite a big delta. If you assume Google told > Mozilla about event A) before it happened, then you can see the problem. Google says they took control on 11 August 2016. On 19 October 2016, Google publicly stated "Update on the Google PKI: new roots were generated and web trust audits were performed, the report on this is forthcoming," (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google) Google didn't file with Mozilla until 22 December 2016, and I suspect that was only because I happened to run across their staged website: https://twitter.com/pzb/status/812103974220222465 I appreciate the business realities of pre-disclosure, but that is not the case here. There is no excuse for having taken control of existing roots and not disclosing such once they disclosed that they are intending to become a root CA. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so that >> it *does* require public disclosure, or are there convincing reasons not >> to? At first glance, it seems like 'guiding' CAs towards additional >> transparency in the CA market/industry/... might be helpful to people >> outside Mozilla's root program itself. > > This would require CAs and companies to disclose major product plans > publicly well in advance of the time they would normally disclose them. > I won't dig out the dates myself, or check the emails, but if you look > for the following dates from publicly-available information: > > A) The date Google took control of the GlobalSign roots > B) The date Google publicly announced GTS > > you will see there's quite a big delta. If you assume Google told > Mozilla about event A) before it happened, then you can see the problem. Google says they took control on 11 August 2016. On 19 October 2016, Google publicly stated "Update on the Google PKI: new roots were generated and web trust audits were performed, the report on this is forthcoming," (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google) Google didn't file with Mozilla until 22 December 2016, and I suspect that was only because I happened to run across their staged website: https://twitter.com/pzb/status/812103974220222465 I appreciate the business realities of pre-disclosure, but that is not the case here. There is no excuse for having taken control of existing roots and not disclosing such once they disclosed that they are intending to become a root CA. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)
On 09/02/17 14:32, Gijs Kruitbosch wrote: > Would Mozilla's root program consider changing this requirement so that > it *does* require public disclosure, or are there convincing reasons not > to? At first glance, it seems like 'guiding' CAs towards additional > transparency in the CA market/industry/... might be helpful to people > outside Mozilla's root program itself. This would require CAs and companies to disclose major product plans publicly well in advance of the time they would normally disclose them. I won't dig out the dates myself, or check the emails, but if you look for the following dates from publicly-available information: A) The date Google took control of the GlobalSign roots B) The date Google publicly announced GTS you will see there's quite a big delta. If you assume Google told Mozilla about event A) before it happened, then you can see the problem. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
