[SSL Observatory] Mozilla survey complete?

Jacob Appelbaum jacob at appelbaum.net
Mon Sep 19 08:23:38 PDT 2011


On 09/19/2011 04:53 PM, Johnathan Nightingale wrote:
> On 2011-09-19, at 10:50 AM, Gervase Markham wrote:
> 
>> On 17/09/11 13:39, Larry Seltzer wrote:
>>> The deadline for Mozilla's survey of CAs is over. I know I want
>>> to know the results and who didn't get their results in on time
>>> and what the consequences of that will be.
>> 
>> All but one CA emailed has responded; we are chasing that CA to see
>> if the message got caught in their spam filters.
>> 
>> We have no plans to publish the data gathered.
> 
> 
> (To clarify, lest we spin a whole thread ranting about disclosure and
> transparency, Gerv means precisely what he says: we have no plans. We
> may well talk about the response we've seen from the CAs, perhaps in
> generalities, perhaps in particulars where appropriate. We have not
> made plans on the subject as of yet.)
> 
> 

What is the appropriate forum for the greater community to participate
in these discussions?

I know that I'm not alone in hoping to see the Mozilla CA page updated
with some kind of Mozilla assessment as a result of the survey letter.
The least of which is an update with the dates of any response and
reports of any kind of possible compromise. The attacker has claimed
something around four CA compromises and if this is true, I think the
lesson from Comodo and DigiNotar is that silence is a kind of
complicity. As one of the directly targeted groups, I know that the Tor
Project really wants to work towards useful answers.

I'm not interested in spinning a thread out about disclosure and
transparency here. Still, I would like to know that such a discussion is
happening somewhere; Mozilla is a fine place for such a thing.
Additionally, I'd also like to know if the results of such a discussion
will actually benefit everyone, or if someone else will have to conduct
similar surveys.

We all generally trust Mozilla to do that right thing. None the less it
is also sometimes the case that security takes a back seat until it is
impossible to ignore. This is likely why a few CAs have been totally and
entirely compromised this year - Mozilla deserves none of the blame for
that and only praise for a good security response. Mozilla has been
really taking a positive lead on this and I hope that the wider
community continues to benefit for that lead.

All the best,
Jacob



More information about the Observatory mailing list