* Ian G.: > So what to do? Should "Mozilla" become "the judge" in the post-event > phase? Do we leave this job to the courts? Should we group together > on this list and pass final judgement? Should we all vote? Demand > changes? Should we implement California rules -- 3 strikes and the > root is killed?
A three strikes approach encourages confidence-reducing games, so I don't like it. I think that without court involvement, it's very difficult to run proper discovery. Suppose that you have got evidence which strongly suggests that a CA keeps an equivalent of the private key of the root in a non-secured data center. The evidence is short of a conclusive proof, though. You ask the CA about it, and it says, "no, that's not true". You ask, "can you show us how you have structured control of the private key?", and the answer is, "no, that's business confidential information". The same dialog might happen after you have obtained actual proof (in the form of a certificate) that something is amiss. This time, the CA says that it has "implemented adequate controls to prevent a recurrence of the event", and details remain confidential. But if all you've got is CA output due to lack of transparency, you are in three strikes territory. The downside of court involvement is that if all CAs are rotten and don't want to enforce, the whole system continues to drift. > We need something. With nothing, we have no feedback. With no > feedback, any objective system drifts to subjectivity. It is I think > the case that for the entirety of the Internet PKI system, no > participant has ever been punished; how far into insecurity are we? EV is (also) an attempt to devalue existing infrastructure, so it's some form of group punishment. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
