On Fri, Mar 08, 2019 at 09:35:21PM +0000, Jeremy Rowley via > dev-security-policy wrote: If they need some help with large scale > replacement, I know some people who did that recently. Joking of > course, but really - with Godaddy, Google, and Apple reporting a large > number of certs that have what seems to be a minor compliance issue in > light of the certs all being SHA2, does Mozilla want to require a complete > revocation and replacement? Seems like a lot of effort and disruption for > little value to the Mozilla community.
On the contrary, I think this incident provides a *lot* of value to the Mozilla community -- and also to CAs and certificate users. Horstman's Christmas Rule says, "anything important that you don't do very often, you will do poorly". It's the reason why militaries drill regularly, why firefighters practice rolling and bowling hoses, and why commercial airline pilots spend time in simulators -- because those things need to be done well. A closer-to-home equivalent might be something like the "simian army" (sometimes known as the "chaos monkey") concept popularised by Netflix -- you don't know if your disaster-recovery systems will work unless you test them, so why not test them regularly? Similarly, revoking (and potentially re-issuing) certificates en masse needs to be done well, because there is the distinct chance that at some point, a(nother) *very* serious security problem is going to be found that will require that a large volume of certificates be revoked and reissued, for real, with practically zero notice. I think at this point we have enough data to say with some confidence that, when CAs have to do this out-of-the-blue, the results are not what we might hope for. Whether it's because CA systems and processes aren't where they should be, or because certificate end-users are insufficiently willing and able, there are definite problems that should be addressed. I've previously suggested, somewhat tongue-in-cheek, that Mozilla should provide for "spontaneous revocation" in its CA program requirements -- that on a random basis, a CA should be handed a list of a certain percentage of their certificates, chosen at random, and be told, "you must consider the following certificates compromised, and handle it appropriately". I don't expect such a rule to be adopted any time soon, because the general appetite for wanton destruction does not match my own, but it is my platonic ideal of ensuring, for real and certain, that CAs either are able to do what may very well become necessary, or else they are shown, in clear and unambiguous terms, that things are not up to scratch, and figure out what went wrong so it can be fixed. Essentially, situations like this insufficiently-random serial number issue, or the previous underscore situation, are self-inflicted drills around mass-revocation. They're drills, rather than the "real thing", because I agree that there is very little short-term harm that will result if these certificates are not revoked strictly within the mandated timeframes. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
