[Cryptography] distrusted root CA: WoSign

Peter Bowen pzbowen at gmail.com
Mon Oct 3 23:12:46 EDT 2016 

On Mon, Oct 3, 2016 at 4:43 PM, Stephen Farrell
<stephen.farrell at cs.tcd.ie> wrote:
> On 04/10/16 00:28, Peter Gutmann wrote:
>> Salz, Rich <rsalz at akamai.com> writes:
>>>> I am not suggesting you write a patch, I am suggesting you propose
>>>> something that actually works instead of whining about how the system is
>>>> fixed. So far, I have seen no such proposal.
>>>
>>> Dissolve CABForum and host it under IETF or OASIS or any other open standards
>>> organization.
>>
>> I would say get the EFF or someone similar to run it.  Both of those groups,
>> while nominally open, are way too easy to render captive to vendor interests.
>> I'm not saying they do bad work, but that the structure is very vulnerable to
>> vendor stacking.
>
> I'm biased, but though EFF do fantastic work, I don't think
> they're that open in the sense most relevant here. That said,
> I think either your or Rich's postulated futures would be
> better than the status quo - which of those would be the
> "betterest" is probably moot however.

I think there is some confusion over how CAs get into the trust anchor
lists of popular web browsers and operating systems.

Each browser and operating system[1] has a policy that lays out the
requirements to be accepted in to their list.  Some of them are more
detailed than others and some are more transparent and open than
others.  All of them, as far as I know require an audit report from an
independent auditor covering their operations.  Most of them impose a
set of requirements the operation of CAs and some (but not all)
require that the CA follow the CA/Browser Forum guidelines.

Each browser or OS makes its own decision on who gets in.  This is
clear if you compare; the venn diagram of the different trust anchor
lists has overlaps but is clearly not a full overlap.

Mozilla is notable because it does run a open and transparent process
to determine what goes into its policy and review whether CAs meet the
requirements.  They have made it clear that they want community input
and discussion on their policy.  They have also made it clear that the
CA/B Forum is not the final rule for them -- they add and remove
requirements as the community sees fit.

So, I beg you, please participate in mozilla.dev.security.policy and
help set the requirements.  That is far more valuable than debating
which standards organization umbrella is best.

Thanks,
Peter

More information about the cryptography mailing list