> Vulnerabilities/incidents that may “significantly impact the
confidentiality, integrity, or availability” of a CA's internal systems,
regardless of direct impact on certificate issuance, must be reported
if they pose ongoing risk to the overall integrity and security of CA
operations. This includes significant impact not just to issuing
systems, but also to network and server security, internal software, and
the availability and reliability of certificate status services, such
as CRLs and OCSP.
What is Mozilla's intent by the phrase "must be reported
if they pose ongoing risk to the overall integrity and security of CA
operations."
More specifically:
- "Disclosed" to whom? Public? Just Mozilla?
- What does "if they pose an ongoing risk" mean? If its a one-off attack, does that mean it does not need to be disclosed?
I'm also unsure about trusting CAs to determine the significance of such an attack. We've seen recently that a few CAs have really jumped to making claims such as "this incident has no security impact" before doing any proper RCA or even understanding the extent of the incident. Has Mozilla found any issues with leaving the determination up to CAs in the past?
Specifically, section 2.4:
> When a CA operator fails to comply with any requirement of this policy -
whether it be
a misissuance, a procedural or operational issue, or any other variety
of
non-compliance - the event is classified as an incident and MUST be
reported to Mozilla as soon as the CA operator is made aware.
Is a security incident like the one I posted above considered an instance of a CA "failing to comply"?
In 2.4.1 we see:
>
Additionally, and not in lieu of the requirement to publicly report
incidents as outlined above, a CA Operator MUST disclose a serious
vulnerability or security incident in
Bugzilla as a
secure bug in accordance with guidance found on the
Vulnerability Disclosure wiki page.
From my reading here, this means that all security vulnerabilities are being disclosed privately to Mozilla. I guess this kind of makes sense here.
Would Mozilla be open to having a limited cooling-off period where these secure bugs stay private, but after that period the information becomes public?
My justification for asking this is:
- Other CAs can and should learn from how a CA responded to a security incident.
-
There may be commonalities in attack patterns that these incidents being public can help surface.
- It reassures the community that these incidents are being taken seriously by allowing third parties to also verify and validate the incident response and mitigation items.
Beyond this, I'd also be interested in hearing if Chunghwa Telecom has disclosed the impact of this recent attack on their systems (if any) to Mozilla and the other root programs.