
Trusting transferred root certificates - pdcerb
https://blog.mozilla.org/security/2017/10/31/statement-digicerts-proposed-purchase-symantec/
======
CaliforniaKarl
(To be clear, this comment isn't targeted at Mozilla specifically.)

It seems to me that, if you are a business incorporated in the United States,
whose primary/majority source of income is being a CA; then the browser
vendors & their policies are now more important than, say, the U.S. Federal
Trade Commission or the U.S. Department of Justice, in terms of getting
signoff on a corporate transaction (in this case, a merger).

So, the life or death of one corporate entity is placed directly in the hands
of a small group of other corporate entities.

And although some might respond by saying "Well, you can build $BROWSER
yourself", or "Well, you can re-add that CA, if you still trust it.", I don't
think that would be enough to keep the CA going, because the number of people
who will do that are going to be infinitesimally small, compared to the total
number of users of $BROWSER.

I think I dislike it because the post is so open-ended. The sentence fragment
"While Mozilla does not intend to micro-manage any CA…" also rubbed me the
wrong way.

I guess it points (again) to the fundamental issues of how we ensure that we
are connecting to the web site we expect to.

~~~
jlgaddis
As one of these companies (CAs), I think I would certainly worry a little that
any one of a few other companies (Google, Mozilla, Microsoft, Apple) could
effectively kill my business.

However, I'm not one of these companies (CAs). I am a customer of a couple of
them (by necessity, of course) but, primarily, I am just a consumer/end-user
of the (CA) service that they provide. From this position, I'm actually quite
glad that there are other companies -- the browser vendors -- who can serve as
sort of an "overseer" of the CAs.

The browser vendors don't have any actual authority over a CAs daily
operations or how they choose to run their business, of course. Instead they
simply act as representatives of the Internet-using population in ensuring
that the Baseline Requirements and their own (root inclusion) policies are
adhered to.

As an example, I think it's pretty much a given that Equifax is going to
emerge from the recent compromise relatively unscathed. They might have to pay
a fine or settle a class-action suit or something but, for the most part, it's
going to be business as usual for them. Time will pass and we'll forget about
this incident. Those of us who are/were affected are left without any real
recourse.

If a CA had a major compromise like this, however, the CA would almost
certainly not get off so easily. We have the corpse of DigiNotar [0] as proof
as that. The browser vendors' decisions to remove the DigiNotar roots from
their trust stores was, effectively, a death sentence for the company and, in
my opinion, a well-deserved one as well. It should -- and, I'm sure, did --
serve as a warning to the other CAs.

If nothing else, the "authority" that the browser vendors _do_ have is a
benefit to everyone. I think the CAs clearly understand what can/will happen
if they choose to flagrantly violate the BRs and/or allow a major security
incident to happen and I believe that is motivation for them to ensure that
they do their job properly. It's reassuring to me -- as an "end user" of these
CAs -- to know that their will be repercussions if they don't.

[0]:
[https://en.wikipedia.org/wiki/DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)

~~~
bdamm
Unfortunately we the public have little visibility into how browser makers
choose which CAs will live and which will die. This seems to be a governmental
like function, one which companies are now operating, with no record of the
court to speak of.

DigiNotar died, but Comodo[0] was too big to fail.

[0]:
[https://www.infoworld.com/article/2623829/authentication/wea...](https://www.infoworld.com/article/2623829/authentication/weaknesses-
in-ssl-certification-exposed-by-comodo-security-breach.html)

~~~
tialaramex
This is true for the two biggest commercial trust stores, Apple and Microsoft.
But Mozilla conducts almost all its activities in public and this is no
different. The group m.d.s.policy is open to public participation, as well as
having some participants from other trust stores and CAs. You should probably
lurk for a while before posting (people who show up one day writing that all
the CAs should be kicked out get basically the same reaction as if you stumble
into a bar demanding an end to alcoholic beverages at the top of your lungs)
but if you have something worth saying that's somewhere it will be seen.

------
ndespres
I'm glad to see DigiCert appearing to make a good faith effort to make sure
this transition is handled in a responsible and trustworthy way, and hope they
can follow through. It's easy to appear transparent and have the best
intentions, until the suits see the bill.

For what it's worth, I talked to my partner rep at one of the CAs who issue
certs under the Symantec roots a few weeks ago to see what their plan was to
get us through this transition (i'll have to reissue a significant number of
certs under the DigiCert root) and he seemed really excited about what's
coming, referring specifically to the superior systems and processes offered
by DC. So we'll see but I'm cautiously optimistic.

------
divbzero
Is there a list somewhere of trustworthy CAs?

Something akin to lists of recommended TLS versions and cipher suites? [1][2]

[1]:
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

[2]:
[https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Shee...](https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet)

~~~
Aissen
Yes, there are a few lists. According to Microsoft, it's the one they embed in
Windows, Edge, etc. According to the Chrome team, it's the one in their store.
According to Debian, it's the one in Mozilla's CA bundle, etc.

~~~
chaz6
The irony is, these companies that operate trust lists accept zero
responsibility in the case you are defrauded using a certificate issued by a
CA they deem trustworthy.

~~~
dtech
You are of course free to maintain your own list and not use the lists they
provide for free if this is your concern.

