On 22/11/2017 18:03, Matthew Hardeman wrote:
Hi,
(Please don't CC me on replies, I am subscribed to the newsgroup).
I touched on my thoughts on this matter a bit before. This is really about trust. I think several factors must be weighed here: 1. Is "trust" really required of a CA in a soon-to-be post-mandatory-CT-log world?
Yes, because CT log checking cannot possibly cover the identity checking of most certificate holders (very few legitimate certificate holders run software to check the CT-logs daily for issuing of false certificates in their names, even fewer non-certificate holders do so). Also CT logs are limited to WebPKI certificates due to their total lack of privacy. They are thus not applicable to e-mail, client or any other kinds of non-web certificates.
If some level of trust is required, then: 2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom family of corporate entities has any left?
That is indeed a big question, especially given the failures during the past year, notably: 1. StartCom using their current/future "live" root keys for testing 2. StartCom trying to get cross signed before applying for proper vetting and inclusion. (I do not blame StartCom for the specific way in which the cross-signing CA handled their end of procedures). 3. WoTrust trying to submit code audits before submitting the simpler paperwork items, and Richard Wang seemingly responding that only step 5 of a multi-step requirements list is relevant. 4. QiHoo seemingly promising to oust Richard Wang, then not doing so. (Assuming that promise was not a misunderstanding on the Mozilla side of things). > And furthermore is trust in the > corporate entity chain even necessary if... Corporate owners can be good, neutral or bad for trust in a CA subsidiary. At one end of the spectrum, being owned by a highly trusted entity could increase trust in a CA operation. At the other end of the spectrum, being owned by a known hostile entity such as the Sicilian Mafia would ruin trust regardless who is fronting the operation, because that particular owner is notorious for forcing people to act against their better judgement to the detriment of the public at large.
3. Are individuals filling executive and executive operations positions taking personal responsibility for key generation and management, stand up of the infrastructure, day to day operation of the infrastructure? And if so, can those individuals represent that they're staking their personal reputations on personally managing this infrastructure or in the alternative guaranteeing to affirmatively notify the community that they are stepping down and can no longer be responsible?
That would certainly have been relevant for StartCom. In general this would require the absence of any contract terms or other provisions that could gag them against publicly disclosing such a step down.
My take: Businesses are assets. Assets can be closely held or not. In many cases, the not closely held assets are traded around quite often, often with little oversight. I don't think we can make any assertions on trust as to the ownership. I do, however, believe that a company can be operated in such a manner that key executives can be identified and personal representations of those parties can be relied upon in as far as that consequences can be visited upon those individuals by the root programs.
See my comments above
I do firmly support the spirit of this thread. I think it would be unethical of the community and of the Mozilla Root Program to dangle the theoretical possibility of inclusion / reinclusion -- encouraging the endeavor such that many external costs are taxed upon the prospect -- if they have knowledge that there are likely to be problems in the final approval in terms of community buy-in. The downside, of course, is that while this alternative pre-discussion allows for discussion of the nebulous concept of "trust" and integrity, it actually denies the community those matters which can be most objectively evaluated -- the CPS, the subscriber agreements, certificate policy, auditor's opinions, etc. (which makes sense -- the development of these is pricey).
Agree.
I suppose, in summation, I believe this conversation only matters if we're really trying to have a discussion about trust and defining trust and importance of trust and whether there is a way that this CA can be trusted. Just my thoughts... Matt Hardeman
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
