Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Peter Bowen via dev-security-policy]

On Mon, Feb 13, 2017 at 4:14 AM, Gervase Markham via
dev-security-policy  wrote:
> On 10/02/17 12:40, Inigo Barreira wrote:
>> I see many "should" in this link. Basically those indicating "should notify
>> Mozilla" and "should follow the physical relocation section".
>
> It may be that this document does need redoing in formal policy
> language. In the mean time, anyone uncertain about its meaning should
> ask Kathleen.

Gerv,

In addition to updating it to follow formal policy language, I would
suggest adding it directly to the policy.  As it stands today there
are 79 pages in the wiki starting with "CA:".  It simply isn't
possible to know which ones are effectively part of the policy and
which are other random things.  I realize building and maintaining
long policies is time consuming, but it is important to be clear.  CAs
are routinely called out for unclear or incomplete CPs and CPSes, so I
think it is fair to ask Browsers to have clear and complete trust
store policies.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Inigo Barreira via dev-security-policy]

Yes, I know what happened but it´s not what the document says. Unless there´s 
another document, it seems to me that you haven´t acted according to what this 
page says. If I understand correcly, a should is a conditional and then it´s 
not a requirement. Furthermore there´s no indication on the consequences if you 
don´t do it, at least in this document. Maybe I´m missing some others, for 
sure, but i´d like to have the full picture.


Best regards

Iñigo Barreira
CEO
StartCom CA Limited

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On 
Behalf Of Gervase Markham via dev-security-policy
Sent: lunes, 13 de febrero de 2017 13:15
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Public disclosure of root ownership transfers (was: Re: Google 
Trust Services roots)

Hi Inigo.

On 10/02/17 12:40, Inigo Barreira wrote:
> I see many "should" in this link. Basically those indicating "should 
> notify Mozilla" and "should follow the physical relocation section".

It may be that this document does need redoing in formal policy language. In 
the mean time, anyone uncertain about its meaning should ask Kathleen.

> What does it happen if you don´t notify Mozilla?

Well, this was a factor in our dis-trust of WoSign and StartCom, so I guess the 
answer is "we take it seriously" :-)

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Inigo Barreira via dev-security-policy]

Gerv,

I see many "should" in this link. Basically those indicating "should notify
Mozilla" and "should follow the physical relocation section". But in
physical relocation and personnel changes sections it seems to me there´s a
contradiction because there are some must. Can you explain the differences?
According to the above mentioened there´s a should, so you´re able to not
follow what it´s indicated in the following ones, then the must does not
take effect, is this correct?
What does it happen if you don´t notify Mozilla?

Best regards

Iñigo Barreira
CEO
StartCom CA Limited


-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
On Behalf Of Gervase Markham via dev-security-policy
Sent: viernes, 10 de febrero de 2017 10:48
To: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Public disclosure of root ownership transfers (was: Re: Google
Trust Services roots)

On 10/02/17 06:15, Richard Wang wrote:
> I think Mozilla should have a very clear policy for:
> (1)  If a company that not a public trusted CA acquired a trusted root
key, what the company must do?
> (2)  If a company is a public trusted CA that acquired a trusted root key,
what the company must do?
> (3) If a company is a public trusted CA, but distrusted by Mozilla, this
company acquired a trusted root key, what the company must do?

We do: https://wiki.mozilla.org/CA:RootTransferPolicy .

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Gervase Markham via dev-security-policy]

On 10/02/17 05:10, Peter Bowen wrote:
> On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via
>> A) The date Google took control of the GlobalSign roots
>> B) The date Google publicly announced GTS
>>
>> you will see there's quite a big delta. If you assume Google told
>> Mozilla about event A) before it happened, then you can see the problem.
> 
> Google says they took control on 11 August 2016.

So that's date A).

> On 19 October 2016, Google publicly stated "Update on the Google PKI:
> new roots were generated and web trust audits were performed, the
> report on this is forthcoming,"
> (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google)

Then you can consider this as Date B) :-)

> I appreciate the business realities of pre-disclosure, but that is not
> the case here.  There is no excuse for having taken control of
> existing roots and not disclosing such once they disclosed that they
> are intending to become a root CA.

This may or may not be what people think the policy _should_ be, but the
policy currently _is_ that disclosures of ownership change do not have
to be public. Mozilla does not require public disclosure of change of
ownership at any time.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Gervase Markham via dev-security-policy]

On 10/02/17 06:15, Richard Wang wrote:
> I think Mozilla should have a very clear policy for:
> (1)  If a company that not a public trusted CA acquired a trusted root key, 
> what the company must do?
> (2)  If a company is a public trusted CA that acquired a trusted root key, 
> what the company must do?
> (3) If a company is a public trusted CA, but distrusted by Mozilla, this 
> company acquired a trusted root key, what the company must do?

We do: https://wiki.mozilla.org/CA:RootTransferPolicy .

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Richard Wang via dev-security-policy]

I think Mozilla should have a very clear policy for:
(1)  If a company that not a public trusted CA acquired a trusted root key, 
what the company must do?
(2)  If a company is a public trusted CA that acquired a trusted root key, what 
the company must do?
(3) If a company is a public trusted CA, but distrusted by Mozilla, this 
company acquired a trusted root key, what the company must do?

Thanks.

Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Peter Bowen via dev-security-policy
Sent: Friday, February 10, 2017 1:10 PM
To: Gervase Markham <g...@mozilla.org>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Public disclosure of root ownership transfers (was: Re: Google 
Trust Services roots)

On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:
> On 09/02/17 14:32, Gijs Kruitbosch wrote:
>> Would Mozilla's root program consider changing this requirement so 
>> that it *does* require public disclosure, or are there convincing 
>> reasons not to? At first glance, it seems like 'guiding' CAs towards 
>> additional transparency in the CA market/industry/... might be 
>> helpful to people outside Mozilla's root program itself.
>
> This would require CAs and companies to disclose major product plans 
> publicly well in advance of the time they would normally disclose them.
> I won't dig out the dates myself, or check the emails, but if you look 
> for the following dates from publicly-available information:
>
> A) The date Google took control of the GlobalSign roots
> B) The date Google publicly announced GTS
>
> you will see there's quite a big delta. If you assume Google told 
> Mozilla about event A) before it happened, then you can see the problem.

Google says they took control on 11 August 2016.

On 19 October 2016, Google publicly stated "Update on the Google PKI:
new roots were generated and web trust audits were performed, the report on 
this is forthcoming,"
(https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google)

Google didn't file with Mozilla until 22 December 2016, and I suspect that was 
only because I happened to run across their staged website:
https://twitter.com/pzb/status/812103974220222465

I appreciate the business realities of pre-disclosure, but that is not the case 
here.  There is no excuse for having taken control of existing roots and not 
disclosing such once they disclosed that they are intending to become a root CA.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Peter Bowen via dev-security-policy]

On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via
dev-security-policy  wrote:
> On 09/02/17 14:32, Gijs Kruitbosch wrote:
>> Would Mozilla's root program consider changing this requirement so that
>> it *does* require public disclosure, or are there convincing reasons not
>> to? At first glance, it seems like 'guiding' CAs towards additional
>> transparency in the CA market/industry/... might be helpful to people
>> outside Mozilla's root program itself.
>
> This would require CAs and companies to disclose major product plans
> publicly well in advance of the time they would normally disclose them.
> I won't dig out the dates myself, or check the emails, but if you look
> for the following dates from publicly-available information:
>
> A) The date Google took control of the GlobalSign roots
> B) The date Google publicly announced GTS
>
> you will see there's quite a big delta. If you assume Google told
> Mozilla about event A) before it happened, then you can see the problem.

Google says they took control on 11 August 2016.

On 19 October 2016, Google publicly stated "Update on the Google PKI:
new roots were generated and web trust audits were performed, the
report on this is forthcoming,"
(https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google)

Google didn't file with Mozilla until 22 December 2016, and I suspect
that was only because I happened to run across their staged website:
https://twitter.com/pzb/status/812103974220222465

I appreciate the business realities of pre-disclosure, but that is not
the case here.  There is no excuse for having taken control of
existing roots and not disclosing such once they disclosed that they
are intending to become a root CA.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

[Gervase Markham via dev-security-policy]

On 09/02/17 14:32, Gijs Kruitbosch wrote:
> Would Mozilla's root program consider changing this requirement so that
> it *does* require public disclosure, or are there convincing reasons not
> to? At first glance, it seems like 'guiding' CAs towards additional
> transparency in the CA market/industry/... might be helpful to people
> outside Mozilla's root program itself.

This would require CAs and companies to disclose major product plans
publicly well in advance of the time they would normally disclose them.
I won't dig out the dates myself, or check the emails, but if you look
for the following dates from publicly-available information:

A) The date Google took control of the GlobalSign roots
B) The date Google publicly announced GTS

you will see there's quite a big delta. If you assume Google told
Mozilla about event A) before it happened, then you can see the problem.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy