(To be clear, this comment isn't targeted at Mozilla specifically.)
It seems to me that, if you are a business incorporated in the United States, whose primary/majority source of income is being a CA; then the browser vendors & their policies are now more important than, say, the U.S. Federal Trade Commission or the U.S. Department of Justice, in terms of getting signoff on a corporate transaction (in this case, a merger).
So, the life or death of one corporate entity is placed directly in the hands of a small group of other corporate entities.
And although some might respond by saying "Well, you can build $BROWSER yourself", or "Well, you can re-add that CA, if you still trust it.", I don't think that would be enough to keep the CA going, because the number of people who will do that are going to be infinitesimally small, compared to the total number of users of $BROWSER.
I think I dislike it because the post is so open-ended. The sentence fragment "While Mozilla does not intend to micro-manage any CA…" also rubbed me the wrong way.
I guess it points (again) to the fundamental issues of how we ensure that we are connecting to the web site we expect to.
As one of these companies (CAs), I think I would certainly worry a little that any one of a few other companies (Google, Mozilla, Microsoft, Apple) could effectively kill my business.
However, I'm not one of these companies (CAs). I am a customer of a couple of them (by necessity, of course) but, primarily, I am just a consumer/end-user of the (CA) service that they provide. From this position, I'm actually quite glad that there are other companies -- the browser vendors -- who can serve as sort of an "overseer" of the CAs.
The browser vendors don't have any actual authority over a CAs daily operations or how they choose to run their business, of course. Instead they simply act as representatives of the Internet-using population in ensuring that the Baseline Requirements and their own (root inclusion) policies are adhered to.
As an example, I think it's pretty much a given that Equifax is going to emerge from the recent compromise relatively unscathed. They might have to pay a fine or settle a class-action suit or something but, for the most part, it's going to be business as usual for them. Time will pass and we'll forget about this incident. Those of us who are/were affected are left without any real recourse.
If a CA had a major compromise like this, however, the CA would almost certainly not get off so easily. We have the corpse of DigiNotar [0] as proof as that. The browser vendors' decisions to remove the DigiNotar roots from their trust stores was, effectively, a death sentence for the company and, in my opinion, a well-deserved one as well. It should -- and, I'm sure, did -- serve as a warning to the other CAs.
If nothing else, the "authority" that the browser vendors do have is a benefit to everyone. I think the CAs clearly understand what can/will happen if they choose to flagrantly violate the BRs and/or allow a major security incident to happen and I believe that is motivation for them to ensure that they do their job properly. It's reassuring to me -- as an "end user" of these CAs -- to know that their will be repercussions if they don't.
Unfortunately we the public have little visibility into how browser makers choose which CAs will live and which will die. This seems to be a governmental like function, one which companies are now operating, with no record of the court to speak of.
DigiNotar died, but Comodo[0] was too big to fail.
This is true for the two biggest commercial trust stores, Apple and Microsoft. But Mozilla conducts almost all its activities in public and this is no different. The group m.d.s.policy is open to public participation, as well as having some participants from other trust stores and CAs. You should probably lurk for a while before posting (people who show up one day writing that all the CAs should be kicked out get basically the same reaction as if you stumble into a bar demanding an end to alcoholic beverages at the top of your lungs) but if you have something worth saying that's somewhere it will be seen.
People may feel uneasy about this, but what is the alternative?
A few years ago we were in a situation where CAs basically could do whatever crap they want and had to face no consequences at all. Google and Mozilla have at some point said "stop" and have started tightening rules.
Ultimately if you operate a CA properly there is also little to fear. Don't issue certs for domains whose owners haven't asked for it, don't violate the rules that CAs and Browsers agreed upon, if mistakes happen be transparent about it, explain them and answer questions. No CA has faced any serious consequences for minor mistakes. The cases where CAs have faced consequences all had in common that major violations of rules happened multiple times.
> People may feel uneasy about this, but what is the alternative?
The FTC or Congress should regulate these things, not a volunteer, highly self-interested oligopoly. I think the government has not kept up: Just like law enforcement is not effective in protecting you against cybercrime, the FTC and Congress haven't kept up with trade issues on the Internet. It's 2017; these issues are no longer new.
I like Mozilla, but in the long run there's not much reason to think that the current arrangement will take seriously the interests of users and consumers, as well as CAs, small browser vendors, others using public key crypto, and other stakeholders. Those people need a seat at the table, a vote, power. That's what democratic government and regulation are for: Situations where power should be distributed democratically, not to whomever has the most marketshare.
> The FTC or Congress should regulate these things, not a volunteer, highly self-interested oligopoly.
The Internet is not limited to the US.
Also existing attempts of gov regulation of crypto aren't exactly a success story. We had two major fuckups very recently of crypto that had multiple government crypto-certifications.
I think it's unfair to treat the browser vendors as "other corporate entities" as if they don't have a direct relationship with the CAs. Essentially, a CA is a trust reseller. the browser vendors trust the owners of the root certificates, and the CAs resell that trust to websites.
As a reseller, you are always beholden to the producer of the product your are selling. That's the nature of a resale business, and it makes perfect sense that the browser vendors, the "original manufacturer" of the product the CA is selling, has more influence over the CA's business than the FTC or the DOJ does.
I didn't mean "other corporate entities" as a pejorative term. I was trying to come up with a generic descriptor, and since all of the browser makers have some sort of articles of incorporation (even Mozilla, at https://www.mozilla.org/en-US/foundation/documents/articles-...), that's why I came up with "other corporate entities".
The reseller analogy is interesting! But I think there is one thing missing from that, which is the exchange of value, or the contractual arrangement.
As a customer of a CA, you possibly pay some form of money, and you always agree to some form of contract (in the form of Terms & Conditions). But the CA does not may money to the browser vendors, as far as I'm aware. And looking through some of the Mozilla CA Certificate Root Program bugs, I don't see any indication of contracts/T&Cs being agreed to, except what is implicit in the fact that prople are requesting inclusion.
What makes this more confusing is that the CA's do pay money, to a third party in the form of auditors who make sure that the CA is following the various CAB Forum requirements.
So it is hard for me to see this as a reseller type of arrangement.
I'm personally glad Mozilla take such an interest in ensuring CAs are trustworthy. After all, they are the linchpin for security and authenticity of just about everything on the web.
I think this post shows that Mozilla are trying to be as transparent as possible about what they expect, and thay they're proactively working with Digicert to make it as likely as possible that the new CA will be trusted. A certain amount of open-endedness is inevitable though, otherwise it'd be possible to find loopholes with enough motivation (and the survival of a business is fairly good motivation).
I'm glad to see DigiCert appearing to make a good faith effort to make sure this transition is handled in a responsible and trustworthy way, and hope they can follow through. It's easy to appear transparent and have the best intentions, until the suits see the bill.
For what it's worth, I talked to my partner rep at one of the CAs who issue certs under the Symantec roots a few weeks ago to see what their plan was to get us through this transition (i'll have to reissue a significant number of certs under the DigiCert root) and he seemed really excited about what's coming, referring specifically to the superior systems and processes offered by DC. So we'll see but I'm cautiously optimistic.
You can and should operate your own root trust programme, or club together with other people who have the same idea of what constitutes trustworthy. If, like most of us, you prefer to delegate this problem to your OS vendor then you get to keep both halves when it breaks.
The main trust stores today are operated by Microsoft (for Windows), Apple (for Mac OS and iOS), Mozilla (Firefox and all the Free Unix systems), Google (Android), and Oracle (Java). Smaller or less frequently updated stores are operated by a large number of organisations, including Sony, Nintendo, Avaya, IBM and so on.
All the big stores either explicitly publish a list of what's trusted or provide an obvious way to work it out and some third party aggregates the results.
Most of the trust programmes are completely opaque and proprietary. Mozilla's is open to the public as you'd expect, Google openly relies on Mozilla's process although it takes its own final decisions. Microsoft uses the shared CCADB with Mozilla but doesn't publicly talk about its trust processes.
Yes, there are a few lists. According to Microsoft, it's the one they embed in Windows, Edge, etc. According to the Chrome team, it's the one in their store. According to Debian, it's the one in Mozilla's CA bundle, etc.
That's true for a relatively low bar, not really equivalent to a list of "recommended" ciphers. The equivalent is probably the 15 CAs with >0.1% marketshare plus a few more particularly well-run ones.
The irony is, these companies that operate trust lists accept zero responsibility in the case you are defrauded using a certificate issued by a CA they deem trustworthy.
You mentioned TLS versions and cipher suites. TLS is documented in a set of RFCs, so if you want to answer the question "Does software X implement TLS version 1.2?", then you can answer that question by checking its behavior against RFC 5246.
As far as I'm aware, there is no RFC which quantifies trust.
It seems to me that, if you are a business incorporated in the United States, whose primary/majority source of income is being a CA; then the browser vendors & their policies are now more important than, say, the U.S. Federal Trade Commission or the U.S. Department of Justice, in terms of getting signoff on a corporate transaction (in this case, a merger).
So, the life or death of one corporate entity is placed directly in the hands of a small group of other corporate entities.
And although some might respond by saying "Well, you can build $BROWSER yourself", or "Well, you can re-add that CA, if you still trust it.", I don't think that would be enough to keep the CA going, because the number of people who will do that are going to be infinitesimally small, compared to the total number of users of $BROWSER.
I think I dislike it because the post is so open-ended. The sentence fragment "While Mozilla does not intend to micro-manage any CA…" also rubbed me the wrong way.
I guess it points (again) to the fundamental issues of how we ensure that we are connecting to the web site we expect to.