All,
Thanks again to all of you who have been providing thoughtful and
constructive input into this discussion. As I previously indicated [1],
this has been a difficult decision to make. I have been carefully
reading and contemplating the input that you all have been providing in
this forum.
I concur with Wayne’s recommendation [2] to add DarkMatter’s existing
intermediate certificates to OneCRL
(https://bugzilla.mozilla.org/show_bug.cgi?id=1564544), and decline
DarkMatter’s root inclusion request
(https://bugzilla.mozilla.org/show_bug.cgi?id=1427262). I will update
those bugs to reflect my decision to distrust the intermediate certs and
to decline the root inclusion request.
I also concur with Wayne that DarkMatter (a.k.a DigitalTrust) is welcome
to be a “managed” subordinate CA under the oversight of an existing
trusted CA that retains control of domain validation and the private keys.
Below are some additional comments I would like to share.
I was intrigued by Matthew’s FICO score analogy [3] demonstrating that
bias should be removed from the decision making process. I agree with
Gijs’ suggestion [4] that a more applicable analogy is being a guarantor
on a large loan. As Gijs’ said: you should never “be a guarantor for
anybody unless you're very, very sure of that person, because you have
effectively no recourse if the debtor leaves you holding the bag.” If I
had thought of myself (or Mozilla) as a guarantor of the CNNIC CA, then
all of the concerns that people had raised about CNNIC during their root
inclusion request would have enabled me to say that I was not confident
that CNNIC would continue to fulfill their commitments as a CA in
Mozilla’s program. That could have prevented the difficulties that arose
when the CNNIC root was used to mis-issue TLS certificates that were
subsequently used for MiTM.
Some of you have pointed out that Mozilla needs to provide more
oversight and scrutiny of subordinate CAs, and I fully agree with you.
With over 3,000 subordinate CA certificates chaining to root
certificates in Mozilla’s program, we need automation to extend checks
and balances to all of them. I have been working towards this via the
Common CA Database (CCADB) [5]. The good news is that most of the
subordinate CAs in Mozilla’s program are “managed” subordinate CAs,
which means that the root CA retains control of the private keys and
domain validation. As Wayne mentioned, we are also working on improving
our policy and process to provide better oversight of the other,
“externally-operated”, subordinate CAs[6,7].
Thanks,
Kathleen
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/LPCGngLxBwAJ
[2]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/HiAMJkBNDQAJ
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XXp1KIBoDQAJ
[5] https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/
[6]
https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits
[7] https://github.com/mozilla/pkipolicy/issues/169
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
