[cryptography] another cert failure

Jeffrey Walton noloader at gmail.com
Mon Jan 7 06:15:32 EST 2013


Hi Ian,

Off list. I am so gad damn angry at myself for seeing this sooner. It
all makes sense now.

OT: Habe you read http://www.amazon.com/dp/1420059815? Perhaps you
contributed or technical edited?

Thanks again for your insight.

Jeff

On Mon, Jan 7, 2013 at 3:15 AM, ianG <iang at iang.org> wrote:
> On 7/01/13 06:48 AM, Jeffrey Walton wrote:
>>
>> On Sat, Jan 5, 2013 at 4:23 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>>>
>>> On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst <ryan.hurst at globalsign.com>
>>> wrote:
>>>>
>>>> ....
>>>
>>> In the future, we won't need their honesty. Or the 'honesty' they want
>>> use to perceive.
>>>
>>> ....
>>>
>>> Did anyone really think a CA would risk a multimillion dollar business?
>>>
>> Did anything ever emerge about the pre-blog deal?
>>
>> I suspect Mozilla/Trustwave transpired as follows:
>>
>> (1) Trustwave issues certificate(s), violates agreements
>> (2) Trustwave realizes they are exposed to risk that could result in
>> reputational and financial loss
>> (3) Trustwave legal engages Mozilla
>> (4) A deal is brokered
>> (5) After the deal was executed, Trustwave blogged about the incident.
>
> LOL... Jeff, this is *exactly the logic* I used to use in the mozilla mail
> group when I pressed the hypothesis that Mozilla cannot revoke roots.  It's
> so nice to find someone who understands basic business issues.
>
> Some good came out of those arguments.  Mozilla got their revocation
> procedure in place, and documented!  The vendors thought about it some, and
> when it happened, they didn't flounder, they were able to roll out their
> procedures.  Also, the vendors finally realised their legal position and
> made some changes in BR to defend themselves.  18.2 if you are interested.
>
> As it is legal of course, they won't ever comment.
>
> But the basic problem remains - if the CA resists, vendors cannot revoke
> reliably.  Basically, what we have here are really tough and damaging
> consequences for small, insignificant CAs that are far away ... but those
> won't work so well if the CA is closer, heavier, and got lawyers.  It's a
> start ... but, do you see how every change seems to be pointing in one
> particular direction?  John Case will see it ;-)
>
>
>
>
>
>> Everything Trustwave and Mozilla did [publicly] was likely a dog and
>> pony show to alter our perception of reality.
>>
>> The outcome was already known and fixed. Otherwise, Trustwave lawyers
>> would never have agreed to the deal, and the blog never would have
>> occurred.
>>
>> Mozilla had to play dumb to ensure it did not suffer reputational
>> loss; or jeopardize their relationship with Google, which could have
>> resulted in significant financial loss.
>
> Yeah.  Little known fact is that Mozilla maintains confidential discussions
> with the CAs.  The "open group" is basically theater, it has been totally
> owned by the CAs for many years.  Mozilla routinely reports no meetings,
> minutes, positions, representations, agreements, NDAs, etc.  Open
> contributors have been punching blind in a roman circus since the end of the
> first policy, which is why the open policy group has not really achieved as
> much as the advertisement claims.
>
> This all came out (if my memory serves me correctly) from observing that
> Mozilla resisted changes to the sub-CA regime.  Sounds apropos? Basically,
> we worked out that Mozilla had been receiving private and confidential
> briefings from CAs about why they didn't want changes to the sub-CA regime.
> Mozilla found itself in the position of arguing those positions without
> declaring those positions.
>
> When it comes to it, Mozilla are hoisted on their own petard.  It was they
> who agreed to confidential discussions, and they who entered into the
> CABForum -- those nice guys that Jon refers to are nice guys *when you sign
> up for their club* and that's not a new trick.
>
> But have a look at how they abused mozilla's open policy group to rush
> through their confidentially-prepared standards for a faux public comments
> period.  It's all in the archives, they brought in their supporters, they
> argued for no changes, they've worked on these documents sooooo long, 2
> years now, we can't go back now, why isn't a month long enough for comment,
> there's nothing to say, right?
>
> They may be nice guys, but they really sold Mozilla's reputation for their
> own benefit.  It is going to take years for Mozilla to go open, if they were
> to so decide.
>
>> That also explains why the safety net failed.
>
> Yep.  To add another "fact" to the mix -- PKI is not really a technical
> fight, which is why it is bemusing to technical communities.
>
> It is a legal fight.  And the ones who know it are the larger CAs, vendors
> aren't the experts in this, although Microsoft is reputed to have had
> original expertise.  So one thing you will find is that you can *sometimes*
> engage the players in technical conversation if you bring power to the
> table.  But if you try a legal discussion, watch how fast everything ices
> over....



More information about the cryptography mailing list