[cabfpub] Ballot 92 - Subject Alternative Names
Gervase Markham
gerv at mozilla.org
Fri Nov 16 09:49:10 MST 2012
On 16/11/12 16:38, Steve Roylance wrote:
> Please remember that it's not only how the browser vendors display these
> certificates in real time that's at stake here, but what audit trail is
> left (including captured logs/packets/ocsp responses or CRLs that help
> identify the cert in question) so that an enterprise is able to to find
> out who actually did break in and steal something (or who is trying).
Mozilla's position is that it is not sufficiently difficult to get an OV
cert with a misleading O field that it would prove a difficulty for
criminals. That's why we have EV. I know some people disagree with us on
this, but there it is. So, your logic would lead us to the idea that
certs with non-FQDNs in them must be EV.
> If you are suggesting that having a single FQDN included is strong enough
> to identify the culprit then this is not correct, no more than me creating
> a gerv at gmx.com would lead to you.
I think it is at least a way of differentiating two otherwise identical
certs for "mail".
> This stance seems to be counter to the threat of allowing non public
> credentials in the first place. If there's no need to positively
> identify the owner of the credential used in an attack then the threat is
> not that serious and we can carry on offering to all who ask without
> question.
As you know, our stance on such certs is that we are making a trade-off.
Like you, I'd like to see them gone tomorrow. But I don't want to fall
into the politician's fallacy: "We must do something. This is something.
Therefore we must do this."
> I'm not an forensics expert but as the Tesco strapline here in the UK says
> "Every little helps" and I'm sure that's true.
What you want to do is not side-effect-free. Say a CA is not in the OV
business. If they want to continue to issue such certs, they either have
to validate them all as EV (not a winning proposition), stop issuing, or
spin up new business process.
Gerv
More information about the Public
mailing list