[cabfpub] Ballot 161 - Notification of incorrect issuance
Ryan Sleevi
sleevi at google.com
Fri Feb 5 19:44:19 UTC 2016
On Fri, Feb 5, 2016 at 3:50 AM, Doug Beattie <doug.beattie at globalsign.com>
wrote:
> the improper encoding of a field, minor non-compliance with referenced
> specs like RFC5280 then no, this is not something I can support. It's both
> vague, and in my view, unnecessary at that level.
I take significant umbrage on that. We have spent significant man-months
trying to work through improving Chrome's certificate path validation
logic, similar to Mozilla, and have been repeatedly stymied by the failure
of CAs to adhere to the standards for which they are supposed to implement
and are audited to. The improper encodings of fields have been responsible
for multiple critical severity bugs within relevant parsers, and the
non-compliance issues have created significant pain in determining what the
user impact would be to following the spec.
Simply rejecting these certificates, as easy as it is for CAs to suggest,
carries with it real ecosystem risks, as it further discourages people from
attempting to validate the WebPKI correctly or robustly, due to the magic
incantations and hidden knowledge needed, which in turn leads to real
security issues when situations such as Symantec and Comodo's continued
SHA-1 issuance arise.
You can view a list like
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
to find out all about the sorts of 'hacks' that Mozilla has had to do, and
which we've had to independently rediscover or, at a minimum, re-verify
that these still present an issue.
They're misissued. They're not compliant. Neither the CA nor the auditor
should be sweeping these under the rug as 'minor' - they should be
qualified findings on an audit, disclosed, and corrected. This is the only
hope we have for the system to be able to scale, grow, and promote a robust
and secure Internet.
> All you need to do is use Rob's tool and you'll fine errors in
> certificates from virtually every CA.
Agreed. And this is a gross failure of the industry to self-regulate or act
according to its standards.
> The CABF would be flooded with irrelevant notices of misissuance which
> would make it harder to understand the real ones.
Note: This ballot would go to an incidents list. If you were not interested
in such incidents, you would not need to subscribe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160205/1f840183/attachment-0003.html>
More information about the Public
mailing list