Mozilla was faced with what appears to be the worst possible abuse of the privilege of being a Mozilla CA root. The abuse happened for commercial purposes. The transaction that occurred was on its face abusive of the CA system. The CA hasn't (and probably can't) name the company that was given illegitimate CA privileges.
In response to this, Mozilla sent out a letter. That letter doesn't even instruct CAs not to sell subCAs! It says, "don't sell them for MITM purposes".
I think Mozilla is between a rock & a hard place here, but there is no spin I think you can put on this story in which Mozilla stood up against abuse of trust.
> Mozilla is between a rock & a hard place here, but there is no spin I think you can put on this story in which Mozilla stood up against abuse of trust
I'm not sure it's worth our energy to be so disappointed in Mozilla here. That "they're between a rock and a hard place" precisely is the spin within which they stood up against abuse of trust.
They have sent out a letter so far. One of your worries appears to be that it sets the precedent that companies who do what Trustwave did can expect (only) letters in the future. But (iirc, and perhaps even in the bugzilla thread) one of the stated purposes of the letter is to set the opposite precedent: to publicly warn commercial CA's that future bullshit will result in distrusting.
I happen to think Trustwave had plenty of warning without the letter, but this particular hard place is particularly thorny because Mozilla is such a central policy hub. That's a problem you touched on above, that we agree needs a fix, but it's the way things are today.
The other half of the hard place is that before Trustwave pulled this BS, they issued a whole lot of legit commercial certs to a predominantly innocent user population. And you know, they can and should all go acquire certs from someone else, but they can't do that overnight. So if we really want Trustwave to get distrusted, I feel like we should focus our energy on a) telling people that Trustwave sucks and urging them to migrate, and b) paying attention/effort to initiatives like the one you mentioned from MM.
I'm mostly with you. But Mozilla could issue a blanket moratorium on the issuance of CA=YES certs to external organizations; Verisign would, during the moratorium, only be allowed to issue chained CA certs for Verisign properties.
They could do that today. Nothing would break.
Then they could spend some time --- spend as much time as they like, really --- coming up with a policy that allows extraordinarily trusted companies to sponsor and sign subCAs.
But they didn't do that. It's not just that they only issued a letter; it's that the letter is comically weak.
I think what Mozilla have done here is to provide an incentive for any other CAs who may have already done what TrustWave did to quickly own up, revoke the certificates, and promise not to issue any more.
If they'd immediately executed TrustWave, the incentive would be for any other CAs who've done the same thing to double-down and hide it, which would leave us in an overall worse position.
In other words, it's a temporary amnesty - a strategy which has a good history of working well.
While I don't generally buy the notion that this is carefully-calculated hardball on the part of Mozilla, I agree that immediate revocation isn't the only reasonable outcome here. What disappoints me the most is that the response leaves the unaccountable system of for-profit subsidiary CAs untouched.
Agreed. Any subsidiary CA should be meeting all the requirements imposed on the root CAs - and if they are, then they could simply be included in the browser root programs in their own right rather than paying another CA for a sub-CA cert.
In response to this, Mozilla sent out a letter. That letter doesn't even instruct CAs not to sell subCAs! It says, "don't sell them for MITM purposes".
I think Mozilla is between a rock & a hard place here, but there is no spin I think you can put on this story in which Mozilla stood up against abuse of trust.