Root Program Guidance/Issue Classfication

[Ben Wilson]

On Fri, Feb 7, 2025 at 8:41 AM Mike Shaver <mike....@gmail.com> wrote
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/pq2VZAg1QUQ/m/96XQcYacAgAJ:

https://bugzilla.mozilla.org/show_bug.cgi?id=1942879 - Issue identified and the delay was unintentional  -> Note that in this case the issue was "malware filtering blocked CPR", which was sufficiently distinct from "spam filter blocked CPR" that multiple CAs did not extrapolate from the latter to the former when monitoring previous incidents. This makes me feel that perhaps more attention could be paid by the root programs to explaining how they expect CAs to address classes of issue, rather than just the most narrowly-interpreted case specifically implicated in an incident. Closing the bug ahead of that clarity coming from root programs or, failing that, peer CAs or other community members, seems like a missed opportunity to avoid future incidents like "we block things that have a non-ASCII sender name" or whatever the next fine speciation would be.

For guidance on defining classes of issues to provide guidance on, we have at least somewhere to start:

1- Whiteboard Incident Classifications  (https://wiki.mozilla.org/CA/Bug_Triage#Whiteboard_Tags)

2- Lessons Learned (https://wiki.mozilla.org/CA/Lessons_Learned)

3- Statistical summaries of incidents (Mozilla root program reports to the CABF).  E.g.:

• https://cabforum.org/uploads/5-2023-February-Mozilla-Update-CABF-Ottawa-F2F.pdf
• https://cabforum.org/2024/05/28/minutes-of-the-f2f-62-meeting-in-bergamo-italy-may-28-29-2024/3-May-2024-Mozilla-News.pdf
• https://cabforum.org/2024/02/26/minutes-of-the-f2f-61-meeting-in-new-delhi-india-february-26-27-2024/2-February-2024-Mozilla%20Browser%20News.pdf

From here, we could try and create high-level guidance and clarify expectations for each general class of issue (guidance on how CAs should interpret and implement root program requirements, how CAs should handle revocation, disclosure, and incident reporting). Here is another classification list with 7 high-level categories:

1. Certificate Issuance Issues

• Misissuance of Certificates (e.g., improper domain validation, incorrect key usage, subject DN errors)
• Inadequate Pre-Issuance Linting (failure to detect BR violations before issuance)
• Certificate Profiles and Extensions (incorrect EKUs, lack of compliance with current standards)

2. Validation and Identity Verification Failures

• Domain Validation (DV) Weaknesses (improper DNS, HTTP, or email validation)
• Organization Validation (OV) and Extended Validation (EV) Failures
• S/MIME Validation Failures (misinterpretation of identity proofing requirements)
• Wildcard and Multi-Domain Certificate Validation

3. Revocation Response Failures

• Failure to Revoke in a Timely Manner (delayed response to misissuance or compromise)
• Inadequate Revocation Reasoning (inconsistent or improper use of revocation reason codes)
• Delayed Revocation Justifications (unsubstantiated or improperly handled delayed revocation cases)
• Revocation Checking Failures (OCSP, CRL unavailability or poor performance)
• Improper Handling of Key Compromise (delayed responses)

4. Incident Reporting and Root Program Communication Issues

• Delayed or Incomplete Incident Reports (not reporting security or compliance incidents in a timely manner)
• Insufficient Root Program Notification (failure to disclose new intermediates or key lifecycle events)
• Disclosure Failures in CCADB (not updating CCADB with required information in a timely manner)
• Failure to Address Prior Incidents (repeated issues due to inadequate corrective actions)
• Misclassification of Incidents (underreporting or misreporting compliance issues)

5. Policy and Compliance Failures

• Non-Conforming Certificate Policies and CPS Documents (failure to align with BRs or root program policies)
• Inconsistent Policy Updates (failure to update CP/CPS to reflect new requirements)
• Failure to Implement New Root Program Policies (e.g., delays in adopting MPIC, new S/MIME Baseline Requirements)

6. Subscriber-related Issues

• Inadequate Subscriber Agreements (lack of proper subscriber obligations)
• Failure to Educate Subscribers on Proper Certificate Usage
• Failure to Support Automation for Subscribers (slow migration to ACME or automated certificate renewal)

7. Ecosystem-Wide Issues Affecting Multiple CAs

• Inconsistent Handling of Email Filtering Issues (spam/malware blocking certificate problem reports)
• Failure to Keep Up with Changes in Industry Standards (e.g., MPIC, CAA, etc.)
• Failure to Address Systemic Risks in CA Practices (repeated industry-wide issues, lack of proactive mitigation)

I am open to suggestions on how to move forward in response to Mike's comment.

Thanks,

Ben

.