Mozilla’s Root Store Housekeeping Program Bears Fruit

Just over a year ago, in bug 1145270, we removed the root certificate of e-Guven (Elektronik Bilgi Guvenligi A.S.), a Turkish CA, because their audits were out of date. This is part of a larger program we have to make sure all the roots in our program have current audits and are in other ways properly included.

Now, we find that e-Guven has contrived to issue an X509 v1 certificate to one of their customers.

The latest version of the certificate standard X509 is v3, which has been in use since at least the last millennium. So this is ancient magic and requires spelunking in old, crufty RFCs that don’t use current terminology but as far as I can understand it, whether a certificate is a CA certificate or an end-entity certificate in X509v1 is down to client convention – there’s no way of saying so in the certificate. In other words, they’ve accidentally issued a CA certificate to one of their customers, much like TurkTrust did. This certificate could itself issue certificates, and they would be trusted in some subset of clients.

But not Firefox, fortunately, thanks to the hard work of Kathleen Wilson, the CA Certificates module owner. Neither current Firefox nor the current or previous ESR trust this root any more. If they had, we would have had to go into full misissuance mode. (This is less stressful than it used to be due to the existence of OneCRL, our system for pushing revocations out, but it’s still good to avoid.)

Now, we aren’t going to prevent all misissuance problems by removing old CAs, but there’s still a nice warm feeling when you avoid a problem due to forward-looking preventative action. So well done Kathleen.

Prophetic…

Almost 20 years ago, two Christians from the Jubilee Centre pondered the possible consequences of the Euro:

Unfortunately, EMU [European Monetary Union] may well foster conflicts and increase nationalism among EU countries. If the system works well and an active fiscal policy compensates for the lack of an independent monetary policy, some countries will need to raise taxes in order to cool their economy even though the government is in strong surplus. Quite correctly, electorates will blame the system. However, if EMU fails, endemic unemployment will result in some countries due to an overvalued exchange rate for their needs and excessively high interest rates. Wage cuts in, or labour movements from, the countries thus affected seem unlikely, and the current treaty does not provide for fiscal transfers from a prospering country to a depressed one as a result of EMU. Hence, some countries will feel neglected in the interest rate setting process, and will demand restitution from the centre. To make matters worse, they could be having to cut spending and raise taxes in a recession to avoid being fined for an ‘excessive’ deficit, while having to bail out a collapsing banking system due to inappropriate interest rate levels.

If a country faces an unsustainable fiscal situation, it may be forced to threaten default on its debt or request help from other members. If a transfer or debt guarantee is granted, those populations in solvent countries may resent their taxes being used to bail out irresponsible governments elsewhere. If these payments have no democratic mandate, resentment of neighbouring countries within EMU may result.

— Paul Mills and Michael Schluter, Should Christians Support the Euro?, December 1998

The only thing they missed is that the bailed-out would also resent those who did the bailing…

Type 1 vs Type 2 Decisions

Some decisions are consequential and irreversible or nearly irreversible – one-way doors – and these decisions must be made methodically, carefully, slowly, with great deliberation and consultation. If you walk through and don’t like what you see on the other side, you can’t get back to where you were before. We can call these Type 1 decisions. But most decisions aren’t like that – they are changeable, reversible – they’re two-way doors. If you’ve made a suboptimal Type 2 decision, you don’t have to live with the consequences for that long. You can reopen the door and go back through. Type 2 decisions can and should be made quickly by high judgment individuals or small groups.

As organizations get larger, there seems to be a tendency to use the heavy-weight Type 1 decision-making process on most decisions, including many Type 2 decisions. The end result of this is slowness, unthoughtful risk aversion, failure to experiment sufficiently, and consequently diminished invention. We’ll have to figure out how to fight that tendency.

Jeff Bezos

Facebook Switches Off Email Forwarding

You remember that email address @facebook.com that Facebook set up for you in 2010, and then told everyone viewing your Facebook profile to use in 2012 (without asking)?

Well, they are now breaking it:

Hello Gervase,

You received this email because your gerv.markham@facebook.com account is set up to forward messages to [personal email address]. After 1 May 2016, you will no longer be able to receive email sent to gerv.markham@facebook.com.

Please update your email address for any services that currently send email to gerv.markham@facebook.com.

Thank You,
Email Team at Facebook

Good work all round, there, Facebook.

DMCA Section 512 Comments Submitted

A small milestone: the first post in my name on the Mozilla Net Policy blog has just been published. It concerns our filing comments for a US Copyright Office consultation on section 512 of the DMCA – the section dealing with safe harbo(u)rs for intermediary liability. Section 512 contains the rules that mean Facebook, Twitter and other platforms actually let you have a conversation and upload images and videos to talk about, rather than restricting that capability because they are too afraid of immediate copyright liability.

This is not to be confused with section 1201 of the DMCA, which gives the rules for the 3-yearly process for getting DMCA exceptions for important things like phone unlocking. We also filed comments in a consultation on that recently.

We hope that the Copyright Office’s recent attention to these sections bodes well for useful reforms to US copyright law.