I agree with Dimitris that weekly content-free “pings” even after the CA has indicated remediation is complete doesn’t seem to be terribly useful for anyone monitoring incidents. CAs are encouraged to watch the CA Certificate Compliance component, but such comments serve to increase the amount of noise from watching that component. I can imagine there’s similar pain for Mozilla representatives and others looking for meaningful updates on CA incidents.
Given this, I think Dimitris’s proposal to use the NI-flag is an effective way to signal that remediation is complete from the CA’s perspective and a representative needs to evaluate and make a determination on whether the remediation is sufficient.
Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/72b32dec-b1f6-6716-c931-c6c9e6a4c598%40it.auth.gr.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BN7PR14MB21786D94093A998F691C008E92089%40BN7PR14MB2178.namprd14.prod.outlook.com.
I believe it was never Gerv's or this community's intention to require
clerical weekly updates even when all incident-related activities and
CA's commitments/remediations are claimed to be fulfilled.
Posting
repeated messages "nothing to report" doesn't add any value to the
incident report and contradicts with the "CAs may learn from the
incident" part of the policy. The volume of incidents and posts that
this community must review on a very regular basis has increased
significantly, so IMHO it would be reasonable to ask for reducing the
"noise", as Corey elegantly described this practice.
Taking this opportunity, I would also hope this community and its
leaders be a little more concerned when we have examples of:
> this has been a longstanding requirement and expectation
and yet we see repeated deviations of those expectations from multiple
CAs. IMO this is a clear indication that the policy/procedure is not
clear enough and needs to be improved/clarified.
Taking this opportunity, I would also hope this community and its
leaders be a little more concerned when we have examples of:
> this has been a longstanding requirement and expectation
and yet we see repeated deviations of those expectations from multiple
CAs. IMO this is a clear indication that the policy/procedure is not
clear enough and needs to be improved/clarified.
Somewhere there's a spectrum here, I hope we can agree. "underscores" is something that should have been clear, and yet CAs felt it wasn't, because the word "underscore" wasn't mentioned, just the rules that prohibited underscores. "No MITM CAs" is something that should have been clear, and yet CAs felt it wasn't, because the policy didn't say "no MITM CAs", it just said "must validate domains".. Mozilla Policy has long required disclosure of what validation methods CAs use - and yet we see CAs still, in 2021, failing to do so in their CP/CPS, or disclosing methods long forbidden.
I want to make sure that we're clear between "clarifying existing requirements" and "imposing new requirements". Your message implies that this is the latter, but that couldn't be further from the truth.
My point is that when this community sees repeated failures from many different CAs regarding the same issue, among other things it could also mean that there is some problem with the existing language either of the policy or a requirement or even an RFC language. We can ignore the signs and keep on seeing failures, even from CAs that have a good history of following all Root store operators' guidance and policies, or reduce this probability (of a misunderstanding of existing language) and provide clear language making the expectations unambiguously clear.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHJNERGtHCqFG%3DXrFPna2pWAqK1VkAm_h972v2DgCt7NA%40mail.gmail.com.