Friday, June 5, 2015

June 9 Update:

In what is probably just a case of great minds thinking alike, the US House of Representatives Energy & Commerce committee sent letters to the browser vendors asking about restricting government CAs.

On June 5, 2015, Microsoft updated the

"Microsoft Trusted Root Certificate: Program Requirements"

I think so this is when it was changed. There is no date or version on the page, unlike the former version you can't tell when it changed or view revision history.  

The previous version was at the link below, which shows the history which was updated to redirect to the page above.

The second to last word on the current page is a typo "
thhhe", when that is fixed we'll know something changed, but what... (I archived it).


A lot has changed, some notable and welcome changes:

 "7. All roots that are being used to issue new certificates, and which directly or transitively chain to a certificate included in the Program, must either be limited or be publicly disclosed and audited."

This seems to mean Intermediate Certificate Authority Certs require WebTrust / ETSI audits, or constraints. This is great news, many of the breaches in the past have been from sub-CAs, including the recent CNNIC incident.

 "8. Government CAs must restrict server authentication to .gov domains and may only issues other certificates to the ISO3166 country codes that the country has sovereign control over (see section III for the definition of a “Government CA”). 

 9. Government CAs that also operate as commercial, non-profit, or other publicly-issuing entities must use a different root for all such certificate issuances (see section III for the definition of a “Commercial CA”)."

These are changes that people have been clamoring for, for example concern about US and other government Certificate Authorities being able to issue general server authentication certificates.


Transparency. Mozilla provides a good example, everything is transparent.  Microsoft might want to allow applications to remain non-public during the initial process.  However, this is PUBLIC Key Infrastructure, customers have given MS their trust. Once a CA is accepted and scheduled for distribution, customers should have the opportunity to review the criteria and decide whether to accept or block the trust. NIST.SP.800-52r1 section 4.5.2 requires administrators to manage the certificate trust list.

Minimum transparency would include a public notice after Step 2 of the intake process, along with public comment period. Public comments are normal for IETF, NIST, and other standards discussions, and could occur here. There is a possibility that the public may have strong, even misguided opinions but a robust public process can survive public discourse. 

When the new update to the Root Certificate Trust list is released, it should include advance customer notification such as through the Security Bulletin process.

No comments:

Post a Comment