[Dayshine]

Could somebody explain to me why Mozilla (or whatever organisation is using bugzilla here) are in a position to dictate policy here?

If the majority of outstanding certificates were held by the Italian government, major banks and hospitals, what are the CA supposed to do if they're just told "No, you won't revoke the certificates until we're ready, we don't think the risk is worth it"? Further, reading a comment below on the usage of these certificates by the Italian state for mandatory reporting: it sounds like revoking could be considered a criminal offense...

This very much reads like a private entity mandating that tens if not hundreds of thousands of Euros are spent by the Italian state over a very minor security risk.

[tialaramex]

Somebody has to decide who is trusted. Mozilla (a not-for-profit) thinks that it suits their mission best if they're deciding, at least when it comes to their browser, Firefox, by default.

If you think somebody else should decide - maybe the Government of Italy, or the Queen of England, or Donald Trump, or you personally, then here's a few questions for your new Root Trust Programme:

1. Why? At least Mozilla's rationale is related to a fact, they make Firefox, so it trusts whatever they decide, what would be the rationale for why the Pope gets to decide?

2. Are they actually doing it? This is largely a tedious responsibility. But, if you decide to slack off, every Firefox user gets screwed. So, you know, you're going to need to put those hours in. Forever. I've lost count of how many people or organisations decided they could do better and didn't last a year.

3. Where's the transparency? The main way Mozilla stands out from the other big trust store operators (Apple, Microsoft, Google, and arguably Oracle) is that they're a not-for-profit and so they operate transparently. Your contributions are welcome at m.d.s.policy https://groups.google.com/forum/#!forum/mozilla.dev.security... where we are currently discussing the minutiae of Certificate Policy documentation. If your alternative is less transparent, how is that not worse?

[Dayshine]

I'm not saying Mozilla isn't a good organisation to run this, I'm saying it seems insane to have what seems like policies that don't allow for any proportional response.

I don't know how involved you are, but to a lay observer this story seems like Mozilla's policies are entirely black and white, to the benefit of nobody (except perhaps to reduce work I suppose, which is reasonable, but not really a valid reason in terms of security)

Is there no tiered approach to risks? Hell, in this situation it seems like more harm and risk will have been created by the rush to reissue certificates that would have been caused by this theoretical security vulnerability.

Edit: Actually, on further reading, it seems like the issue is more that Actalis didn't correctly invoke their right to this discretionary power?

[sleevi]

You may also enjoy https://wiki.mozilla.org/CA/Incident_Dashboard , which all the CAs responding to such incidents need to be aware of, and which shows that there is a rather large amount of proportionality, based on an appropriate degree of transparency and communication.

[Dayshine]

That is very interesting, thank you. And yes, the tone and approach in all the incidents I read through there seemed great.

[pdw]

Well, the Italian government agreed to those terms when they bought the certificates. If they didn't like that, they could've gotten them from somewhere else, or maybe set up a CA of their own, governed according to their own policies. Sure, then their CA wouldn't be pre-loaded in browsers, but they also wouldn't have to bother with pesky details such as responding in a timely way to incidents.

[jchw]

CAs are held to a strict security standard. Nobody is forcing any entity to act as a CA - if you don’t want that kind of responsibility, you don’t have to be a CA. But if this stuff isn’t taken seriously, the padlock icon means absolutely nothing.

[Dayshine]

My question was why this "regulatory agency" (without statutory powers) believes it is completely acceptable to cause direct harm without any discretion on the size of the risk.

The CA is irrelevant, they're just a middle-man.

[pvg]

What of the much greater potential harm of allowing non-compliant CA's? A CA's 'customers' are not just the people it sold certs to but also everybody on the internet who uses a browser. One way to read this incident is as a story of this inherent divided loyalty.

[ocdtrekkie]

Browser vendors effectively are the ruling party of the Internet at the moment. And Mozilla can mostly only follow Google's lead, as Chrome is (basically) everyone's browser. It doesn't matter what you put on your server if Chrome, Firefox, and Safari refuse to accept it. Whether it's the trusted certificates list, or features of HTML and JavaScript, or decisions about what sort of web content will trigger the browser to block parts of your site, browser developers determine what the public will see.

The best part here too is that Mozilla's link on revocation basically says "we understand sometimes it's more risky to revoke according to our policy than to take a little longer, we just don't care and will utter our disappointment in you either way".