- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 06 Apr 2015 15:34:52 +0000
- To: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8g075NyJiqyo3hRLH5Ed2mcRAJOvU9XTtLOEFzxU4wjug@mail.gmail.com>
Jeffrey, I (and I'm sure others on the list) appreciate your concern, but Certificate Authority policy is outside of our subject matter here. Browsers collaborate with CAs to establish policy at the CA/Browser Forum ( cabforum.org). Though it's never very reliable to map press-release material to technical and audit compliance, if you have concerns of this type, you might ask GeoTrust directly for clarification, try questions [at] cabforum.org, or the relevant browsers' policy mailing lists. Mozilla's is public, at https://groups.google.com/forum/#!forum/mozilla.dev.security.policy and I'm pretty sure that other browser trust root policy folks follow the happenings there. thank you, Brad Hill On Sun, Apr 5, 2015 at 6:17 PM Jeffrey Walton <noloader@gmail.com> wrote: > This just made my radar: "GeoTrust Launches GeoRoot; Allows > Organizations with Their Own Certificate Authority (CA) to Chain to > GeoTrust's Ubiquitous Public Root," > http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows- > organizations-with-their-own-certificate-authority-ca-to- > chain-to-geotrusts-ubiquitous-public-root-54048807.html. > > I understand the use case. For example, Google appears to use it for > its Internet Authority G2 (https://pki.google.com) to manage it web > properties (corrections please). > > However, the Ubiquitous Public Root program removes the independent > third party auditor that performs the validation. In the past, a > reseller would perform the validations and then issue the end-entity > certificate under their subordinate CA. If a reseller was misbehaving, > then the subordinate CA would be revoked. This economic disincentive > presumably keeps resellers honest. > > Additionally, GeoTrust does not appear to place any name constraints > on the subordinate CA they issue to the organization. Both the IETF > and CA/B have name constraints that could be used to enforce the > policy. The relevant documents are RFC 5280, 4.2.1.10 Name Constraints > and Baseline Requirements, 9.7 Technical Constraints in Subordinate CA > Certificates via Name Constraints. > > I think its OK to trust Google to do the right thing and issue > certificates for domains under its control. But I'm not sure the same > can be said about other that participate in the program, like the > Bob's Used Cars or the Islamic Republic of Iran. > > >From the security engineering standpoint, we should not have to rely > on trust here. Trust is what we use when we don't have security > controls to place. In this case, we have a security control but its > not being used. > > I think a program like GeoTrust's has the potential to undermine the > entire system, and it brings into question the reliance on the system > for Secure Origins and its powerful features. > >
Received on Monday, 6 April 2015 15:35:20 UTC