Re: Policy: revoke on private key exposure

Wed, 04 Feb 2009 21:40:22 -0800 

Ian G wrote:
There have been a lot of calls to "change the policy" ... has someone thought to keep a record of all these? Here's what I recall so far: 

  * MD5 should be dropped [1]
  * publication of private key is considered to be compromise
    + compromise should cause revocation
  * no resellers
  * drop the root of any rogue CA

<snip>

Are these things for policy changes, or are they just for "troublesome 
practices" pages?  Or are they disputes?



MD5 should definitely be a "problematic practice". In terms of policy I 
think it should be handled as we did SSL2: Investigate what's out there, 
talk to CAs, and plan for a transition as soon as practicable.



Re CA revocation of EE certs with published private keys, see my 
separate message.



Re resellers, I think it is a fruitless task for us to try to move the 
entire CA industry to change the way it operates as a business. Our main 
interest is in having CAs maintain effective controls over their 
authorized agents, whether these be actual resellers, RAs in general, or 
whatever. If CAs outsource a lot of the work involved in subscriber 
verification (to an RA) or cert issuance (to a third-party subordinate) 
then I think it's reasonable to have them face increased questioning 
about measures they've taken to establish and maintain effective 
controls; however I don't think it's reasonable to disqualify them 
entirely for using third-party agents, or to dictate exactly how they 
should operate wrt such third-party agents.



Re "rogue CAs", "rogue" has no inherent meaning except with reference to 
some set of practices we define as unacceptable. So that's just part of 
the general discussion of what we should badger CAs about (problematic 
practices) vs. what we should take a strict line on and reject CAs for 
(policy requirements).



If there are more than three things in the list, we are beyond minor 
tweaks, so we may find ourselves into a major revision cycle.  I don't 
think Mozo has the resources for that, but that's just my view.



Actually if Kathleen can take over the bulk of the CA request processing 
then I think I would have time for dealing with some of these policy 
issues. The only unsustainable thing is having me be on the critical 
path for CA evaluation.


Frank


--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


























					Reply via email to