Root Store Policy 2.5 Published

Version 2.5 of Mozilla’s Root Store Policy has now been published. This document incorporates by reference the Common CCADB Policy 1.0.1.

With this update, we have mostly worked through the backlog of modernization proposals, and I’d call this a policy fit for a transparent, openly-run root program in 2017. That doesn’t mean that there’s not more that could be done, but we’ve come a long way from policy 2.2, which we were using until six months ago, and which hadn’t been substantively updated since 2012.

We also hope that, very soon, more root store operators will join the CCADB, which will reduce everyone’s costs and administrative burdens on all sides, and hopefully allow root programs to be more responsive to changing circumstances and requests for inclusion or change.

Caddy Webserver and MOSS

The team behind the Caddy secure-by-default webserver have written a blog post on their experience with MOSS:

The MOSS program kickstarted a new era for Caddy: turning it from a fairly casual (but promising!) open source project into something that is growing more than we would have hoped otherwise. Caddy is seeing more contributions, community engagement, and development than it ever has before! Our experience with MOSS was positive, and we believe in Mozilla’s mission. If you do too, consider submitting your project to MOSS and help make the Internet a better place.

Always nice to find out one’s work makes a difference. :-)

Eurovision Bingo (chorus)

Some people say that all Eurovision songs are the same. (And some say all blog posts on this topic are the same…) That’s probably not quite true, but there is perhaps a hint of truth in the suggestion that some themes tend to recur from year to year. Hence, I thought, Eurovision Bingo.

I wrote some code to analyse a directory full of lyrics, normally those from the previous year of the competition, and work out the frequency of occurrence of each word. It will then generate Bingo cards, with sets of words of different levels of commonness. You can then use them to play Bingo while watching this year’s competition (which is on Saturday).

There’s a Github repo, or if you want to go straight to pre-generated cards for this year, they are here.

Here’s a sample card from the 2014 lyrics:

fell cause rising gonna rain
world believe dancing hold once
every mean LOVE something chance
hey show or passed say
because light hard home heart

Have fun :-)

Thunderbird’s Future Home Decided

Here’s the announcement. Rather than moving to live somewhere else like The Document Foundation or the Software Freedom Conservancy, Thunderbird will stay with the Mozilla Foundation as its fiscal home, but will disentangle itself from Mozilla Corporation infrastructure. As someone who has been helping steward this exploration process, I’m glad to see it come to a successful outcome.

Also in the world of Thunderbird, the community is discussing the future of the product, in the face of significant upcoming changes to the Gecko platform. On the table is a “Thunderbird++” rewrite/transformation using web technologies. Interesting times…

Don’t Pin To A Single CA

If you do certificate pinning, either via HPKP, or in your mobile app, or your IoT device, or your desktop software, or anywhere… do not pin solely to a single certificate, whether it’s a leaf certificate, intermediate or root certificate, and do not pin solely to certificates from a single CA. This is the height of self-imposed Single Point of Failure foolishness, and has the potential to bite you in the ass. If your CA goes away or becomes untrusted and it causes you problems, no-one will be sympathetic.

This Has Been A Public Service Announcement.

Buzzword Bingo

This is a genuine question from a European Union public consultation:

Do you see the need for the definition of a reference architecture recommending a standardised high-level framework identifying interoperability interfaces and specific technical standards for facilitating seamless exchanges across data platforms?

Words fail me.

Root Store Policy 2.4.1 Published

Version 2.4.1 of Mozilla’s CA Policy has now been published. This document incorporates by reference the Common CCADB Policy 1.0 and the Mozilla CCADB Policy 1.0. Neither of these latter two documents has changed in this revision cycle.

This version has no new normative provisions; it is a rearrangement and reordering of the existing policy 2.4. Diffs against 2.4 are not provided because they are not useful; everything appears to have changed textually, even if nothing has changed normatively.

It’s on days like this that one remembers that making the Internet a better, safer and more secure place often involves doing things which are very mundane. :-) The next job will be to work on version 2.5, of which more later.

Firefox Secure Travel Addon

In these troubled times, business travellers occasionally have to cross borders where the border guards have significant powers to seize your electronic devices, and even compel you to unlock them or provide passwords. You have the difficult choice between refusing, and perhaps not getting into the country, or complying, and having sensitive data put at risk.

It is possible to avoid storing confidential data on your device if it’s all in the cloud, but then your browser is logged into (or has stored passwords for) various important systems which have lots of sensitive data, so anyone who has access to your machine has access to that data. And simply deleting all these passwords and cookies is a) a pain, and b) hard to recover from.

What might be very cool is a Firefox Secure Travel addon where you press a “Travelling Now” button and it:

  • Disconnects you from Sync
  • Deletes all cookies for a defined list of domains
  • Deletes all stored passwords for the same defined list of domains

Then when you arrive, you can log back in to Sync and get your passwords back (assuming it doesn’t propagate the deletions!), and log back in to the services.

I guess the border authorities can always ask for your Sync password but there’s a good chance they might not think to do that. A super-paranoid version of the above would also:

  • Generate a random password
  • Submit it securely to a company-run web service
  • On receiving acknowledgement of receipt, change your Sync password to
    the random password

Then, on arrival, you just need to call your IT department (who would ID you e.g. by voice or in person) to get the random password from them, and you are up and running. In the mean time, your data is genuinely out of your reach. You can unlock your device and tell them any passwords you know, and they won’t get your data.

Worth doing?

Mozilla CA Policy 2.4 Published

Version 2.4 of Mozilla’s CA Policy has now been published. This document incorporates by reference the Common CCADB Policy 1.0 and the Mozilla CCADB Policy 1.0, two new documents which govern our use of the Common CA Database which we hope several root programs will use to ease the administration burden.

This seems pretty super-geeky, but having clear, current, enforceable policies regarding the CAs and root certificates in our root program is important for us to continue to be open and transparent about how we run it, and to enable us to continue to drive the security of the web (which depends on the certificate system) in a positive direction.

The policy had not changed for a long time before this update, so this update addressed issues which were uncontroversial and/or urgent. The next job is to rearrange it into a more logical order and then, after that, for version 2.5, we will be looking at some of the more difficult and longer-term policy challenges we face in this space. Here’s the issue tracker if you want to get some idea of what those are. :-)

Overheard at Google CT Policy Day…

Jacob Hoffman-Andrews (of Let’s Encrypt): “I tried signing up for certspotter alerts for a domain and got a timeout on the signup page.”
Andrew Ayer (of CertSpotter): “Oh, dear. Which domain?”
Jacob Hoffman-Andrews: “
Andrew Ayer: “Do you have a lot of certs for that domain?”
Jacob Hoffman-Andrews: “Oh yeah, I totally do!”
Andrew Ayer: “How many?”
Jacob Hoffman-Andrews: “A couple of hundred thousand.”
Andrew Ayer: “Yeah, that would do it…”

Technology Is More Like Magic Than Like Science

So said Peter Kreeft, commenting on three very deep sentences from C.S. Lewis on the problems and solutions of the human condition.

Suppose you are asked to classify four things –

  • religion,
  • science,
  • magic, and
  • technology.

– and put them into two categories. Most people would choose “religion and magic” and “science and technology”. Read Justin Taylor’s short article to see why the deeper commonalities are between “religion and science” and “magic and technology”.

FOSDEM Talk: Video Available

I spoke on Sunday at the FOSDEM conference in the Policy devroom about the Mozilla Root Program, and about the various CA-related incidents of the past 5 years. Here’s the video (48 minutes, WebM):

Given that this only happened two days ago, I should give kudos to the FOSDEM people for their high quality and efficient video processing operation.