Probability has nothing to do with it. Trustwave was excused because what they were doing was not expressly prohibited at the time and other CAs were probably doing the same thing. Trustwave proactively came forward about what they had done. They shouldn't have been the only ones to be distrusted as a result. CAs are not going to be excused for this again, as CNNIC and ANNSI show.
No, it wasn't. That's because the certificates we're talking about were intended to substitute for Google's. They were for enterprise networks, some of them with legal requirements to monitor outgoing traffic (Google Mail in particular is a big problem at regulated financial firms.) The CA=YES certificates were housed in DLP and proxy appliances that ran only on the borders of their own networks.
Enterprises wanted these certificates because the alternative to them is installing additional root certificates on everyone's desktop machines, which is a logistical pain.
I'm not excusing that CA transaction. Issuing CA=YES certificates as a convenience for enterprise security teams is terribly irresponsible, and never should have been allowed.
But, at the the the Trustwave thing happened, it was not expressly black-letter against the rules, and so Trustwave didn't get the CA death penalty for it.
This is getting circular. I'm fully aware of the purpose of these certificates. The discussion was "did Mozilla make the right decision in excusing a CA that essentially decided to create an extra root CA". The result was a rogue google certificate in the wild. I guess browsers don't care that it was only intended for proxying employee traffic, after all.
I certainly think that in the circumstances, no, they did not. The Mozilla CA policy isn't some legally binding document. They are free to change it and still death-penalty whoever was ultimately responsible for these rogue certificates.
I'm not sure what you expect from Mozilla. It would be nice if there was a way to instantaneously kill a CA and ensure all of its issued certificates continued to work, so that a big chunk of the Internet wouldn't suddenly break. If that capability existed, Mozilla or Google could nuke CAs left or right without even checking the Basic Requirements. But it doesn't, and so the process for handling CA inclusion is done by the book.
In this case, the book said "I guess proxy MITM CA=YES certificates are fine, as long as you're careful".
We're getting to the root of the issue after all. Mozilla simply wasn't prepared to nuke a popular CA unless Google and Microsoft joined in to the fun.
Policy was just the excuse. We saw what happened with CNNIC. Coordinated press releases.
I don't know, it seems like, however unprepared anyone is to nuke a popular CA, they're going to be even less prepared if that CA didn't actually violate the policy.
You keep writing as if it's common sense that the policy should say "nobody can issue CA=YES certificates to enterprises". But while I agree strongly that they shouldn't, this is not common sense. The certificates that Trustwave sold were never deployed on the public Internet, and their disclosure outside of whatever giant bank bought them would presumably have been accompanied by massive civil liability.
The policy didn't mention this behavior not because it never occurred to anyone to ban it, but because it was overtly, actively thought to be OK, by pretty much every stakeholder, until browsers started getting better at monitoring certificate issuance.
Really, the simple truth is: you have Google to thank for pretty much every positive shift in norms about SSL/TLS CAs. Until they built the team they have doing this today (which is amazing), certificate issuance was --- not hyperbolically, but actually, factually --- the lawless wild west.†
Do I wish they'd built that team a few years earlier? Yes, of course. I also wish heap and integer overflows were better known in the early 90s. You can't always get what you want.
† The Google team will pointedly add that we should be thanking the Mozilla team for the work they've been doing on keeping a coherent CA policy and trusted root set going all these years; as you can see from this thread, it's a thankless task. I don't agree with all of Mozilla's decisions, but if you throw down in a m.d.s.policy thread about them being incompetent or ineffectual, be prepared to have people who have forgotten more about certificate issuance than you've ever learned give you some pretty vivid comparisons to how other certificate stores have been managed all this time.
No, nothing like that. The browsers had not made it clear to CAs before 2012 that such products were not to be sold. I distinctly remember seeing these sorts of products quite publicly for sale (but in the hundreds-of-thousands-of-dollars range, I think) on CAs' websites in the late '00s.
It was a different time then, and we've gotten better at expecting CAs to be competent. The probability that action will be taken today for the same thing is 1.
IIRC, that happened when it was not totally clear that a CA shouldn't be doing that. That incident made it clear that such a thing was in fact prohibited by Mozilla policy, and the CA in question revoked the cert. If it happens again, I would expect the CA (regardless of size) to be revoked—but at the same time, I would expect the big CAs to know they shouldn't even think of it now, which apparently they didn't know in 2012.
"WONTFIX" is the technical status of the Bugzilla bug, because there wasn't a code change, but it's clear that Mozilla took a policy action:
> I have posted a draft CA Communication in the mozilla.dev.security.policy forum for review/discussion. My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period. There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose.
(That also happened when the browser world was less good at dealing with bad CAs, in general)
It absolutely was a policy misunderstanding in 2012. It is no longer a misunderstanding, since it is now abundantly clear to CAs that they can't do that. It no longer stands.
As far as CA policy goes, 2012 was the very distant past. You might as well accuse Mozilla of poor judgment for allowing MD5 certificates in 2012, it would make as much sense.
The CA did the equivalent of purposefully putting their hand into a garbage disposal unit. You're telling me we should not reconsider them as a root CA because the unit didn't say "don't put your hand into this".
Honestly, I'm not sure how you plan to argue your way around a situation where I ended up with a rogue "mail.google.com" certificate accepted by my browser. That wasn't in the rules?! The CA wasn't clear on the policy for that?
... nobody had clearly explained to you what the specific transaction Trustwave got in trouble for was actually about.
Now you know, so "this will not stand" and "Trustwave stuck its hand in the garbage disposal" shouldn't be germane anymore. Once again: the whole point of those certificates is to sign domains the certificate owner doesn't control. They're sold only to giant corporations with huge amounts of insurance, and they're contractually obligated to ensure they're deployed only on the corporation's own network.
I think Chinese CAs are also special cases. If American browser vendors remove a Chinese CA like WoSign, there is the possibility a fork distribution will replace Mozilla in China by inclusion of these certificates. I think it would take the cooperation of the Big 4 browser/OS vendors to remove a CA, and the Chinese market often responds by creating its own internal distribution.
But Firefox probably could name-constrain WoSign to .cn. Firefox could probably also name-constrain all StartCom-issued certificates after some cut-off-date to .cn or just ban new StartCom-issued certificates entirely.
Reprising a previous comment about this suggestion:
This is one of those ideas that sounds like common sense when you hear or think about it the first time, but falls apart on scrutiny. Ryan Sleevi has done a much better job picking it apart than I can here, but among the numerous problems with it:
* The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
* It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
* It consigns residents of countries with oppressive governments to total control by their governments, while at the same time making usage constraints based on those TLDs (such as local mandates to use services whose names end in .XX for XX in $bad_countries) much more powerful.
* It further promotes the idea that security should somehow be tied to the DNS, despite the fact that the DNS is itself not transparently managed, and is often managed at odds with the interests of Internet users as a whole.
* By factionalizing Internet trust, it harms interoperability and also makes it harder to introduce further constraints into the certificate system by essentially declaring up front that we're conceding Internet trust policy to individual nations.
* It greatly complicates the security stories of companies that have adopted vanity domain names in random countries, which, whatever you think of those companies (koff! Pinboard), is an unforced error.
Of all the things we can spend time on to improve Internet security, this is not one of the better ones.
> The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
Are they? I always thought that .com, .edu, .net et al. are American. I suppose one could argue that .eu is transnational, although the EU are trying very hard to invent their own postmodern nation.
> It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
It's not really jingoism, although it might be nationalism. And is it even nationalism, when each nation-state makes its corporate decisions in a manner which is acceptable to the members of said state?
> It consigns residents of countries with oppressive governments to total control by their governments
… which they already are under, so it doesn't make anything worse. And they are, of course, free to revolt, as oppressed peoples have done throughout history, sometimes succeeding and sometimes failing.
> By factionalizing Internet trust
You say factionalising, I say federating. It doesn't make any sense to me for a corporation in Canada to certify the identity of a site in Iran for a resident of Guinea-Bissau, which is the current situation. Federation seems to me to be the only solution capable of scaling to a world of billions.
> It greatly complicates the security stories of companies that have adopted vanity domain names in random countries
I think the unforced error was placing their identities in the hands of foreign states.
And, of course, with domain-level validation, their security is already in the hands of those states.
https://bugzilla.mozilla.org/show_bug.cgi?id=724929 WONTFIX