SecurityEngineering/Jan2013WorkWeek/07-SSL NSS PSM Planning
1/16 at 1:15pm
Session Lead: Kathleen (and bsmith and Sid)
Kathleen presents things we need to do to stay current and regain the lead on SSL/CA stuff.
TODO
https://etherpad.mozilla.org/CA-2013planning
There's a lot of things we need to do in 2013 to not fail at SSL and such.
- Responding when there's an issue with the CA
- Not let NSS fail due to insufficient tests and infrastructure
- UI is not good enough
- Need to detect misissuance
Priority 2: need to catch up on industry standards.
- Libpkix
- OCSP/CRL stapling
- Preventative measures (compliance checks in code)
Priority 3: Push the security bar higher
- updates to CA cert policy (audit & disclosure)
What can we do to have more impact on the web? Worried that google has become the thought leader in secure communications, and want to take it back.
ALSO CA things:
https://wiki.mozilla.org/CA:MaintenanceAndEnforcement Goal: list potential problems and what our responses should be. If we had a plan, someone else could have taken up slack if we (the CA-administration folks) are all on a plane over the ocean.
Currently documenting what users need to do to distrust CAs when there are problems.
Project Planning:
https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AroPYigJXMK4dDZBcWQ1bTd6eVRoZ3hFQ1JyUk5iRGc#gid=0 List of problems we think need to be solved, their priority, and some additional context.
(See the spreadsheet for details)
How much should we be dealing with clean-up vs. preventative features?
- bsmith thinks we should start with preventative, focus on that first (but we need to do both)
- kwilson wants to find a way to catch issues
Action Items
- [kwilson] will talk to legal/privacy about collecting pin-violation certs if someone [cviecco] helps engineer it
- [sid] gather meeting to brainstorm solutions for problems in our spreadsheet
- [kathleen] collect "priority adustment" requests from the team for SSL problems and help get us to a steady state on problem prioritization.