[cabfpub] Ballot 92 - Subject Alternative Names

Gervase Markham gerv at mozilla.org
Fri Nov 16 09:49:10 MST 2012


On 16/11/12 16:38, Steve Roylance wrote:
> Please remember that it's not only how the browser vendors display these
> certificates in real time that's at stake here, but what audit trail is
> left (including captured logs/packets/ocsp responses or CRLs that help
> identify the cert in question) so that an enterprise is able to to find
> out who actually did break in and steal something (or who is trying).

Mozilla's position is that it is not sufficiently difficult to get an OV 
cert with a misleading O field that it would prove a difficulty for 
criminals. That's why we have EV. I know some people disagree with us on 
this, but there it is. So, your logic would lead us to the idea that 
certs with non-FQDNs in them must be EV.

> If you are suggesting that having a single FQDN included is strong enough
> to identify the culprit then this is not correct, no more than me creating
> a gerv at gmx.com would lead to you.

I think it is at least a way of differentiating two otherwise identical 
certs for "mail".

> This stance seems to be counter to the threat of allowing non public
> credentials in the first place.   If there's no need to positively
> identify the owner of the credential used in an attack then the threat is
> not that serious and we can carry on offering to all who ask without
> question.

As you know, our stance on such certs is that we are making a trade-off. 
Like you, I'd like to see them gone tomorrow. But I don't want to fall 
into the politician's fallacy: "We must do something. This is something. 
Therefore we must do this."

> I'm not an forensics expert but as the Tesco strapline here in the UK says
> "Every little helps" and I'm sure that's true.

What you want to do is not side-effect-free. Say a CA is not in the OV 
business. If they want to continue to issue such certs, they either have 
to validate them all as EV (not a winning proposition), stop issuing, or 
spin up new business process.

Gerv


More information about the Public mailing list