[cabfpub] Ballot 92 - Subject Alternative Names

Steve Roylance steve.roylance at globalsign.com
Fri Nov 16 10:17:55 MST 2012


Hi Gerv,

Answers in line.


On 16/11/2012 16:49, "Gervase Markham" <gerv at mozilla.org> wrote:

>On 16/11/12 16:38, Steve Roylance wrote:
>> Please remember that it's not only how the browser vendors display these
>> certificates in real time that's at stake here, but what audit trail is
>> left (including captured logs/packets/ocsp responses or CRLs that help
>> identify the cert in question) so that an enterprise is able to to find
>> out who actually did break in and steal something (or who is trying).
>
>Mozilla's position is that it is not sufficiently difficult to get an OV
>cert with a misleading O field that it would prove a difficulty for
>criminals. That's why we have EV. I know some people disagree with us on
>this, but there it is. So, your logic would lead us to the idea that
>certs with non-FQDNs in them must be EV.

I disagree.  We have three levels of validation.  DV, OV and EV.  The
degree of assurance of identity rises at each level and therefore OV is
better than DV.
We see it differently because we walk different paths.  I see vetting
questions/queue/rejections on a daily basis as customers submit requests
for certificates where the information they want inside is not possible or
misleading.   It's harder to get an OV certificate and harder still to get
an EV, however as not all people CAN get EV we cannot stipulate this as a
way forward.   All people can be vetted to OV and the BRs allow this.

>
>> If you are suggesting that having a single FQDN included is strong
>>enough
>> to identify the culprit then this is not correct, no more than me
>>creating
>> a gerv at gmx.com would lead to you.
>
>I think it is at least a way of differentiating two otherwise identical
>certs for "mail".
>
>> This stance seems to be counter to the threat of allowing non public
>> credentials in the first place.   If there's no need to positively
>> identify the owner of the credential used in an attack then the threat
>>is
>> not that serious and we can carry on offering to all who ask without
>> question.
>
>As you know, our stance on such certs is that we are making a trade-off.
>Like you, I'd like to see them gone tomorrow. But I don't want to fall
>into the politician's fallacy: "We must do something. This is something.
>Therefore we must do this."

I prefer the insurance stance of a little pain now rather than a larger
pain later. A damning report on how CAs have allowed bad practices to
continue when they had a chance to improve them would be very sad.

>
>> I'm not an forensics expert but as the Tesco strapline here in the UK
>>says
>> "Every little helps" and I'm sure that's true.
>
>What you want to do is not side-effect-free. Say a CA is not in the OV
>business. If they want to continue to issue such certs, they either have
>to validate them all as EV (not a winning proposition), stop issuing, or
>spin up new business process.

Agreed.  If CA's are providing these types of certificates with zero
validation of the subscriber then yes, they need to stop.  All BRs give
rise to business decisions. As it happens 3 year certificates are already
prohibited and this will reduce year on year.  By July next year when this
was proposed to be implemented there will only 137 days to go until only 1
year certificates are the only whole year option.

>
>Gerv

Anyway, the good thing about all this is that pass or fail there is now
public record of GlobalSign and our endorsers trying to improve things.

>




More information about the Public mailing list