[cryptography] another cert failure

ianG iang at iang.org
Mon Jan 7 03:15:34 EST 2013

On 7/01/13 06:48 AM, Jeffrey Walton wrote:
> On Sat, Jan 5, 2013 at 4:23 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst <ryan.hurst at globalsign.com> wrote:
>>> ....
>> In the future, we won't need their honesty. Or the 'honesty' they want
>> use to perceive.
>> ....
>> Did anyone really think a CA would risk a multimillion dollar business?
> Did anything ever emerge about the pre-blog deal?
> I suspect Mozilla/Trustwave transpired as follows:
> (1) Trustwave issues certificate(s), violates agreements
> (2) Trustwave realizes they are exposed to risk that could result in
> reputational and financial loss
> (3) Trustwave legal engages Mozilla
> (4) A deal is brokered
> (5) After the deal was executed, Trustwave blogged about the incident.

LOL... Jeff, this is *exactly the logic* I used to use in the mozilla 
mail group when I pressed the hypothesis that Mozilla cannot revoke 
roots.  It's so nice to find someone who understands basic business issues.

Some good came out of those arguments.  Mozilla got their revocation 
procedure in place, and documented!  The vendors thought about it some, 
and when it happened, they didn't flounder, they were able to roll out 
their procedures.  Also, the vendors finally realised their legal 
position and made some changes in BR to defend themselves.  18.2 if you 
are interested.

As it is legal of course, they won't ever comment.

But the basic problem remains - if the CA resists, vendors cannot revoke 
reliably.  Basically, what we have here are really tough and damaging 
consequences for small, insignificant CAs that are far away ... but 
those won't work so well if the CA is closer, heavier, and got lawyers. 
  It's a start ... but, do you see how every change seems to be pointing 
in one particular direction?  John Case will see it ;-)

> Everything Trustwave and Mozilla did [publicly] was likely a dog and
> pony show to alter our perception of reality.
> The outcome was already known and fixed. Otherwise, Trustwave lawyers
> would never have agreed to the deal, and the blog never would have
> occurred.
> Mozilla had to play dumb to ensure it did not suffer reputational
> loss; or jeopardize their relationship with Google, which could have
> resulted in significant financial loss.

Yeah.  Little known fact is that Mozilla maintains confidential 
discussions with the CAs.  The "open group" is basically theater, it has 
been totally owned by the CAs for many years.  Mozilla routinely reports 
no meetings, minutes, positions, representations, agreements, NDAs, etc. 
  Open contributors have been punching blind in a roman circus since the 
end of the first policy, which is why the open policy group has not 
really achieved as much as the advertisement claims.

This all came out (if my memory serves me correctly) from observing that 
Mozilla resisted changes to the sub-CA regime.  Sounds apropos? 
Basically, we worked out that Mozilla had been receiving private and 
confidential briefings from CAs about why they didn't want changes to 
the sub-CA regime.  Mozilla found itself in the position of arguing 
those positions without declaring those positions.

When it comes to it, Mozilla are hoisted on their own petard.  It was 
they who agreed to confidential discussions, and they who entered into 
the CABForum -- those nice guys that Jon refers to are nice guys *when 
you sign up for their club* and that's not a new trick.

But have a look at how they abused mozilla's open policy group to rush 
through their confidentially-prepared standards for a faux public 
comments period.  It's all in the archives, they brought in their 
supporters, they argued for no changes, they've worked on these 
documents sooooo long, 2 years now, we can't go back now, why isn't a 
month long enough for comment, there's nothing to say, right?

They may be nice guys, but they really sold Mozilla's reputation for 
their own benefit.  It is going to take years for Mozilla to go open, if 
they were to so decide.

> That also explains why the safety net failed.

Yep.  To add another "fact" to the mix -- PKI is not really a technical 
fight, which is why it is bemusing to technical communities.

It is a legal fight.  And the ones who know it are the larger CAs, 
vendors aren't the experts in this, although Microsoft is reputed to 
have had original expertise.  So one thing you will find is that you can 
*sometimes* engage the players in technical conversation if you bring 
power to the table.  But if you try a legal discussion, watch how fast 
everything ices over....


More information about the cryptography mailing list