[cryptography] another cert failure
iang at iang.org
Mon Jan 7 03:15:34 EST 2013
On 7/01/13 06:48 AM, Jeffrey Walton wrote:
> On Sat, Jan 5, 2013 at 4:23 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst <ryan.hurst at globalsign.com> wrote:
>> In the future, we won't need their honesty. Or the 'honesty' they want
>> use to perceive.
>> Did anyone really think a CA would risk a multimillion dollar business?
> Did anything ever emerge about the pre-blog deal?
> I suspect Mozilla/Trustwave transpired as follows:
> (1) Trustwave issues certificate(s), violates agreements
> (2) Trustwave realizes they are exposed to risk that could result in
> reputational and financial loss
> (3) Trustwave legal engages Mozilla
> (4) A deal is brokered
> (5) After the deal was executed, Trustwave blogged about the incident.
LOL... Jeff, this is *exactly the logic* I used to use in the mozilla
mail group when I pressed the hypothesis that Mozilla cannot revoke
roots. It's so nice to find someone who understands basic business issues.
Some good came out of those arguments. Mozilla got their revocation
procedure in place, and documented! The vendors thought about it some,
and when it happened, they didn't flounder, they were able to roll out
their procedures. Also, the vendors finally realised their legal
position and made some changes in BR to defend themselves. 18.2 if you
As it is legal of course, they won't ever comment.
But the basic problem remains - if the CA resists, vendors cannot revoke
reliably. Basically, what we have here are really tough and damaging
consequences for small, insignificant CAs that are far away ... but
those won't work so well if the CA is closer, heavier, and got lawyers.
It's a start ... but, do you see how every change seems to be pointing
in one particular direction? John Case will see it ;-)
> Everything Trustwave and Mozilla did [publicly] was likely a dog and
> pony show to alter our perception of reality.
> The outcome was already known and fixed. Otherwise, Trustwave lawyers
> would never have agreed to the deal, and the blog never would have
> Mozilla had to play dumb to ensure it did not suffer reputational
> loss; or jeopardize their relationship with Google, which could have
> resulted in significant financial loss.
Yeah. Little known fact is that Mozilla maintains confidential
discussions with the CAs. The "open group" is basically theater, it has
been totally owned by the CAs for many years. Mozilla routinely reports
no meetings, minutes, positions, representations, agreements, NDAs, etc.
Open contributors have been punching blind in a roman circus since the
end of the first policy, which is why the open policy group has not
really achieved as much as the advertisement claims.
This all came out (if my memory serves me correctly) from observing that
Mozilla resisted changes to the sub-CA regime. Sounds apropos?
Basically, we worked out that Mozilla had been receiving private and
confidential briefings from CAs about why they didn't want changes to
the sub-CA regime. Mozilla found itself in the position of arguing
those positions without declaring those positions.
When it comes to it, Mozilla are hoisted on their own petard. It was
they who agreed to confidential discussions, and they who entered into
the CABForum -- those nice guys that Jon refers to are nice guys *when
you sign up for their club* and that's not a new trick.
But have a look at how they abused mozilla's open policy group to rush
through their confidentially-prepared standards for a faux public
comments period. It's all in the archives, they brought in their
supporters, they argued for no changes, they've worked on these
documents sooooo long, 2 years now, we can't go back now, why isn't a
month long enough for comment, there's nothing to say, right?
They may be nice guys, but they really sold Mozilla's reputation for
their own benefit. It is going to take years for Mozilla to go open, if
they were to so decide.
> That also explains why the safety net failed.
Yep. To add another "fact" to the mix -- PKI is not really a technical
fight, which is why it is bemusing to technical communities.
It is a legal fight. And the ones who know it are the larger CAs,
vendors aren't the experts in this, although Microsoft is reputed to
have had original expertise. So one thing you will find is that you can
*sometimes* engage the players in technical conversation if you bring
power to the table. But if you try a legal discussion, watch how fast
everything ices over....
More information about the cryptography