On 01/04/2009 04:48 AM, Ian G:
On the punishment side, about all we have is "drop the root!" which I earlier described as a blunt weapon. Are we being sensible when we now have to "drop the root" for the three CAs who have reported problems?
Actually we've discussed this issue just recently but before you started your valuable contributions here as well ;-)
It was suggested to work with the CAs in question to improve and solve those outstanding issues. I think this is what Frank has always done so far and which could be considered policy. However nothing is holding the hands of Mozilla back from removing a root if needed. That is specially when a risk for the users exists. Negligence by the CA and failure to conform to the Mozilla CA Policy are certainly on the table as well I guess.
Demand changes?
Where needed, yes.
Should we implement California rules -- 3 strikes and the root is killed?
It very much depends on the circumstances, but yes, I think repeated failure of a CA should have consequences. Requiring attestations about the requested changes could be more effective before actually removing a root.
We need something. With nothing, we have no feedback. With no feedback, any objective system drifts to subjectivity. It is I think the case that for the entirety of the Internet PKI system, no participant has ever been punished; how far into insecurity are we?
Somewhat perhaps. On the other hand let me show you this example: When the Debian weak keys surfaced, I wasn't overly convinced on the need for action initially. This forum and members of it convinced me otherwise and I worked at my organization for a resolution. It resulted (as reported here [1]) in the following;
"I've received reports that StartSSL was one of the first CAs to filter for bad keys, and others, such as GoDaddy and Netlock have followed suit.)"
The work here and the influence provoked actions which were picked up by others including the most important CAs. As I also indicated earlier, my participation here is a give and take and can provoke changes also at the organization I run. This shows that the right influence can have positive results without "punishments". On other matters this might not always be enough however, not entirely sure.
[1] http://codefromthe70s.org/sslblacklist.aspx -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
