MRSP 3.0: Issue #276: Delayed Revocation
Ben Wilson
All,
The purpose of this email is to start discussion of Mozilla GitHub Issue #276 ("Address Delayed Revocation"). We would like to collect comments and feedback on a proposal to address delayed certificate revocation from a Mozilla perspective. It builds on prior discussions and feedback regarding delayed revocation, and the proposal is meant to replace guidance currently provided on the Mozilla CA wiki.
Here is the comparison link for a proposed new section 6.1.3 in the MRSP:
Summary
Here are the highlights of the proposal:
- Revocation must occur promptly in compliance with the timelines set in section 4.9.1 of the TLS Baseline Requirements (TLS BRs). Mozilla does not grant exceptions to these timelines.
- New CA Obligations:
- Educate subscribers on revocation timelines and discourage reliance on certificates in systems that cannot tolerate timely revocation.
- Include contractual language requiring subscriber cooperation with revocation timelines.
- Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.
- Beginning April 15, 2026, CA audit reports must attest to compliance with the mass revocation planning requirements.
- Delayed revocation incidents must be reported per version 2.1 of the CCADB's Incident Reporting Guidelines (as currently proposed)
- Repeated delayed revocation incidents will result in heightened scrutiny or sanctions, which may include root removal.
Background
Earlier this year, on this list, I proposed an Interim Policy to Address Delayed Revocation. While the proposed interim policy provided clarity, it faced criticism regarding implementation complexity, burden on subscribers and CAs, and the feasibility of associated measures, such as transitioning delayed revocation domains to 90-day certificates. Also, there were subsequent proposals aimed at reducing certificate lifetimes and encouraging automation. See e.g. https://github.com/cabforum/servercert/pull/553.
This new proposal drops proposed measures such as domain-specific tracking and subscriber attestations and instead focuses on subscriber education, mass revocation preparedness, and robust incident reporting as the primary mechanisms for improving agility and transparency regarding delayed revocation.
If adopted, the proposed MRSP § 6.1.3 would replace the current guidance on delayed revocation in Mozilla’s wiki and ensure consistency with the CCADB's Incident Reporting Guidelines.
I welcome your feedback on this draft proposal. Please share your thoughts, questions, or concerns to help us refine and improve it further.
Thanks,
Ben Wilson
Mozilla Root Store
Pedro Fuentes
Ben Wilson
All,
As part of the discussions on this proposal, namely that CAs “maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period,” I’ve received a few comments via private channels, and to ensure transparency and foster discussion, I am sharing them here anonymously:
1. “Mozilla does not grant exceptions…” -- this is the most important signal that Mozilla can provide.
2. If certificate consumers want to prohibit delayed revocation, then they need to make it clear to CAs that they won't accept it and that they will kick them out of the root stores if they still do it. Don't try to solve this issue with indirect measures like random revocations. Just be straight about it and make it clear that there will be consequences for the very first delayed revocation and onward.
3. We will face big problems in revoking productive customer certificates just to test our mass-revocation plan and procedures. Our current customer contracts do not foresee this. While we can revoke at any time for security or compliance reasons, this authorization should not be used just to test mass-revocation. This will also require us to push out contract changes to our complete TLS customer base, which will take a considerable amount of time and effort.
4. This part of the proposal should occur within the CA/Browser Forum
through amendments to the TLS Baseline Requirements, and not via Mozilla
Root Store Policy.
5. Why was the number 30 chosen as a sample? Some CA operators issue very few certificates, while some CAs issue millions of certificates.
I welcome your feedback on these points, the random sampling proposal, and any others.
Thanks,
Ben
Mike Shaver
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/71b07640-d425-4f2f-8da4-d97a9475b9f6n%40mozilla.org.
Jeremy Rowley
Wayne
Rich Salz
As part of the discussions on this proposal, namely that CAs “maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period,” I’ve received a few comments via private channels, and to ensure transparency and foster discussion, I am sharing them here anonymously:
Ben Wilson
Dear Rich,
Thank you for your question.
I think it would be advisable for a CA operator’s mass-revocation testing plan to include an immediate notice to all customers whose certificates were randomly selected because we would want to minimize disruption to server operations while testing the CA’s ability to revoke and replace certificates promptly.
That said, CAs should consider performing occasional tests that go beyond providing pre-generated replacement certificates, in which subscribers
generate and submit new public keys. That would address the risks from a
widespread incident, like Heartbleed, where the potential compromise of private keys
necessitated key pair replacement. Preparing for such scenarios ensures that subscribers will be able to quickly perform the tasks of key pair generation, public
key submission, and certificate installation.
Much to discuss.
Thanks again,
Ben
Matt Palmer
> As part of the discussions on this proposal, namely that CAs “maintain and
> test mass revocation plans annually, including the revocation of 30
> randomly chosen certificates within a 5-day period,” I’ve received a few
> comments via private channels, and to ensure transparency and foster
> discussion, I am sharing them here anonymously:
>
> 1. “Mozilla does not grant exceptions…” -- this is the most important
> signal that Mozilla can provide.
appears that this wording has been open to misinterpretation.
> 2. If certificate consumers want to prohibit delayed revocation, then they
> need to make it clear to CAs that they won't accept it and that they will
> kick them out of the root stores if they still do it. Don't try to solve
> this issue with indirect measures like random revocations. Just be straight
> about it and make it clear that there will be consequences for the very
> first delayed revocation and onward.
would go some way to encouraging good behaviour. The current approach,
where non-compliance may or may not have any repercussions for the CA,
doesn't help those within the CA who are fighting the good fight to push
back against terrible ideas. "It might lead to bad things happening" is
a very weak argument compared to "if we do this, Mozilla will definitely
remove us from their trust store".
> 3. We will face big problems in revoking productive customer certificates
> just to test our mass-revocation plan and procedures. Our current customer
> contracts do not foresee this. While we can revoke at any time for security
> or compliance reasons,
RNJesus has decided that today's your turn in the barrel" if not a
compliance reason?
> 4. This part of the proposal should occur within the CA/Browser Forum
> through amendments to the TLS Baseline Requirements, and not via Mozilla
> Root Store Policy.
suggests, *Baseline* Requirements are the very lowest common denominator
that all parties are willing to accept; hog-tying one trust store that
wishes to innovate is completely unacceptable.
> 5. Why was the number 30 chosen as a sample? Some CA operators issue very
> few certificates, while some CAs issue millions of certificates.
suggest "30 or 0.N% of annual issuance volume, whichever is lower" type
of language, but when I thought about it further, if an entire CA is
issuing so few certificates that revoking 30 is an unreasonable burden,
I'd be very concerned about their operational practices in general,
given how little practice they get with them.
On the subject of the selection of certificates, I'd like to echo the
other comments expressing concerns about the degree to which CAs might
seek to "game" the random selection. It's one of those "it's too easy
to do, and too hard to get caught" situations where shenanigans (or even
the appearance of shenanigans) like to live.
- Matt
Roman Fischer
Dear everybody,
>Point 3 is unusual as revocation for compliance reasons is explicitly outlined, and that's all that this is? There isn't any new changes to the legal language required that I can see.
I checked with our legal department and they clearly stated that we will have to amend the contracts if we want to be sure that we can't be sued for damages inflicted by random revocation. Current language (at least in our contracts) allows us to revoke in case of security incidents, non-compliance and some other cases. But a preventative revocation would currently not be covered.
Also, I'm not convinced that it will motivate many customers towards automation. Most will probably just gamble and bet on not being in the unlucky 30, especially if they get their certs from a large CA... 😉
>Point 4 has been covered, being above the baseline requirements is barely noteworthy but encouraging these practices in more programs is good advice.
Regarding a comment made in another mail, I think it's fair to say that most public trust CAs -need- to conform to all major root store policies to be of any value for their customers. The more fragmented these root store policies are, the more complex (and error prone!) complying to them becomes. For this reason, we would really encourage the root store operators to converge on requirements set forward.
Kind regards
Roman
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c2290409-2ef1-4295-8f5d-13369f2dbbe1n%40mozilla.org.
Andrew Chen
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Mike Shaver
Andrew Chen
Mike Shaver
Dear everybody,
>Point 3 is unusual as revocation for compliance reasons is explicitly outlined, and that's all that this is? There isn't any new changes to the legal language required that I can see.
I checked with our legal department and they clearly stated that we will have to amend the contracts if we want to be sure that we can't be sued for damages inflicted by random revocation. Current language (at least in our contracts) allows us to revoke in case of security incidents, non-compliance and some other cases. But a preventative revocation would currently not be covered.
Also, I'm not convinced that it will motivate many customers towards automation. Most will probably just gamble and bet on not being in the unlucky 30, especially if they get their certs from a large CA...
Regarding a comment made in another mail, I think it's fair to say that most public trust CAs -need- to conform to all major root store policies to be of any value for their customers. The more fragmented these root store policies are, the more complex (and error prone!) complying to them becomes. For this reason, we would really encourage the root store operators to converge on requirements set forward.
Mike Shaver
Jeremy Rowley
Mike Shaver
Jeremy Rowley
Jeremy Rowley
> 2. If certificate consumers want to prohibit delayed revocation, then they
> need to make it clear to CAs that they won't accept it and that they will
> kick them out of the root stores if they still do it. Don't try to solve
> this issue with indirect measures like random revocations. Just be straight
> about it and make it clear that there will be consequences for the very
> first delayed revocation and onward.
> would go some way to encouraging good behaviour. The current approach,
> where non-compliance may or may not have any repercussions for the CA,
> doesn't help those within the CA who are fighting the good fight to push
> back against terrible ideas. "It might lead to bad things happening" is
> a very weak argument compared to "if we do this, Mozilla will definitely
> remove us from their trust store".
+1000 to this. The current framework is to let the CAs guess what will happen if they delay revocation or violate the BRs. When you talk to subscribers with the browsers, there is a weird tension from both sides to have the CA allow a delay or allow a violation but then accept responsibility. Having been in the middle of "exceptional circumstances" before, I can tell you that knowing whether a violation is a distrust-worthy event or just a bad idea is difficult. Understanding clear consequences will make every internal discussion and external discussion far easier.
> 3. We will face big problems in revoking productive customer certificates
> just to test our mass-revocation plan and procedures. Our current customer
> contracts do not foresee this. While we can revoke at any time for security
> or compliance reasons,
> RNJesus has decided that today's your turn in the barrel" if not a
> compliance reason?
I agree with Matt - it is a compliance-based revocation. Plus, Section 4.9.1.1 states: "Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement for a reason that is not otherwise required to be specified by this section 4.9.1.1 (CRLReason “unspecified (0)” which results in no reasonCode extension being provided in the CRL);". Just add the revocation reason of "random sampling" to the CPS and the problem is solved.
> 5. Why was the number 30 chosen as a sample? Some CA operators issue very
> few certificates, while some CAs issue millions of certificates.
> suggest "30 or 0.N% of annual issuance volume, whichever is lower" type
> of language, but when I thought about it further, if an entire CA is
> issuing so few certificates that revoking 30 is an unreasonable burden,
> I'd be very concerned about their operational practices in general,
> given how little practice they get with them.
> On the subject of the selection of certificates, I'd like to echo the
> other comments expressing concerns about the degree to which CAs might
> seek to "game" the random selection. It's one of those "it's too easy
> to do, and too hard to get caught" situations where shenanigans (or even
> the appearance of shenanigans) like to live.
Rich Salz
I think it would be advisable for a CA operator’s mass-revocation testing plan to include an immediate notice to all customers whose certificates were randomly selected because we would want to minimize disruption to server operations while testing the CA’s ability to revoke and replace certificates promptly.
Ben Wilson
Matt Palmer
> Mike -- that's a reasonable point. I suppose making it a date OR percentage
> of ARI adoption isn't likely to change things, either. It would be nice if
> we could incentivize ARI adoption and make random revocation a non-event
> for many? most? people.
and revoking them, with five days advanced notice provided via ARI.
- Matt
Matt Palmer
> I agree that educating subscribers has been largely ineffective. However,
> randomly causing outages won't solve the issue.
DR practices than several decades of education was.
> automation. Only allow CAs to deliver certificates via an automated
> solution and all of a sudden you have 100% automation adoption.
automation adoption. The evidence I've collected
(https://www.hezmatt.org/~mpalmer/blog/2024/01/30/why-certificate-automation-matters.html)
suggests to me that some fraction of people who use ACME for certificate
issuance are still manually handling at least some part of the
certificate lifecycle, and it's the whole lifecycle that matters when
determining whether prompt certificate replacement is feasible, not just
issuance.
- Matt
Rich Salz
Oh, I don't know... ransomware has been far more effective at improving
DR practices than several decades of education was.
Dimitris Zacharopoulos
The CA cannot issue a replacement certificate if the Domain and/or Identity Validation reuse period has expired.
Some CAs even choose to request fresh domain validations at every issuance.
DZ.
Dec 19, 2024 22:24:31 Rich Salz <rich...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Rich Salz
Mike Shaver
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Watson Ladd
does work decently well for browsers.
>
> --
> You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
--
Astra mortemque praestare gradatim
Dimitris Zacharopoulos
DZ.
Dec 23, 2024 13:30:45 Rich Salz <rich...@gmail.com>:
Matt Palmer
> FWIW, I don't like the approach of random revocations. I would prefer
> to focus on re-issuance and certificate rollover exercises by each CA,
> providing statistics of how subscribers perform, without any real
> disruptions. Instead of selecting certificates for revocation, select
> certificates for re-issuance and rollover in 5 days.
actually taken place.
- Matt
Dimitris Zacharopoulos
Dimitris.
Dec 23, 2024 21:52:24 Matt Palmer <mpa...@hezmatt.org>:
> You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Mike Shaver
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4072d67e-6e30-4c01-a18b-993b94102a41%40it.auth.gr.
Roman Fischer
I think the problem of delayed revocation is automatically solved once the proposed clarification by Mozilla (and other root store operators) clearly states that delayed revocation will unconditionally to removal from the trust store. Why invent a whole new mechanism when the same goal can be achieved much easier?
Kind regards & welcome to 2025
Roman
Dimitris Zacharopoulos
I think the problem of delayed revocation is automatically solved once the proposed clarification by Mozilla (and other root store operators) clearly states that delayed revocation will unconditionally to removal from the trust store. Why invent a whole new mechanism when the same goal can be achieved much easier?
Best regards,
Dimitris.
Roman Fischer
I think we can't have both (be able to revoke any certificate within 24h/5d *and* be considerate about possible negative effects).
As far as the discussion here seems to go: Revocation within 5 days seems to be more important. I *personally* don't agree but if that's the way things are going to be, then I'm in favor of strict and clear rules.
Cheers
Roman
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5fe1e9c2-3598-4001-9447-2f6ec646770f%40it.auth.gr.
Rich Salz
As far as the discussion here seems to go: Revocation within 5 days seems to be more important. I *personally* don't agree but if that's the way things are going to be, then I'm in favor of strict and clear rules.
Martijn Katerbarg
Hi Ben,
> Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.
We believe this part of the proposal will not have the intended effect, and would rather cause annoyance with Subscribers. Let me explain why:
Over the years, Sectigo has done several mass revocations. We have procedures in place for handling these in a compliant fashion, and these procedures have worked. For a total of 30 certificates, we would not use our mass revocation
procedures; rather, for 30 certificates it’s far more effective to pick a handful of employees to perform manual outreach to customers. Contacting customers directly and personally ensures that they are taking steps to replace each certificate before it is
revoked, and it’s do-able for 30 certificates. It’s not do-able for 30,000 certificates.
Question: What is this requirement hoping to accomplish? Is it (1) to confirm that CAs have a revocation plan available and tested; or (2) to make sure Subscribers have such a plan in order and are ready for it at any time?
If the answer is number 2, we’re very skeptical that it would be successful. Going by https://crt.sh/cert-populations, we’re counting around 1 billion unexpired pre-certificates. Let’s take that as a ballpark number. Based on CCADB records, there’s about 55 distinct CA Owners included in the Mozilla Root Store. 55 times 30 certificates become 1650 revocations per year. That means, as a Subscriber, (ignoring math around which CA Owner I’d use) each of my unexpired certificates would have a 0.000165% chance of being randomly selected for revocation out of all unexpired certificates out there. That chance would further decline if I’d use one of the top 10 CAs based on number of issued certificates. I’m not sure how much that would spur Subscribers to change tactics.
Additionally, we feel that several CAs have already shown that they are able to perform mass-revocations throughout the year, in full compliance with the BR mandated revocation deadlines. Wouldn’t it be fairer to only impose this random revocation requirement on those CAs that have actually had delayed revocation incidents?
i.e., If a CA hasn’t had a delayed revocation incident in the last 12 months, then they MAY perform any random revocations; whereas if a CA has had a delayed revocation incident in the last 12 months, then they MUST.
Regards,
Martijn Katerbarg
Sectigo
From:
dev-secur...@mozilla.org <dev-secur...@mozilla.org> on behalf of Rich Salz <rich...@gmail.com>
Date: Friday, 3 January 2025 at 19:22
To: Roman Fischer <roman....@swisssign.com>
Cc: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: MRSP 3.0: Issue #276: Delayed Revocation
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
Rob Stradling
> 1. “Mozilla does not grant exceptions…” -- this is the most important signal that Mozilla can provide.
> - Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.
Sent: 18 December 2024 17:17
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: MRSP 3.0: Issue #276: Delayed Revocation
All,
As part of the discussions on this proposal, namely that CAs “maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period,” I’ve received a few comments via private channels, and to ensure transparency and foster discussion, I am sharing them here anonymously:
1. “Mozilla does not grant exceptions…” -- this is the most important signal that Mozilla can provide.
2. If certificate consumers want to prohibit delayed revocation, then they need to make it clear to CAs that they won't accept it and that they will kick them out of the root stores if they still do it. Don't try to solve this issue with indirect measures like random revocations. Just be straight about it and make it clear that there will be consequences for the very first delayed revocation and onward.
3. We will face big problems in revoking productive customer certificates just to test our mass-revocation plan and procedures. Our current customer contracts do not foresee this. While we can revoke at any time for security or compliance reasons, this authorization should not be used just to test mass-revocation. This will also require us to push out contract changes to our complete TLS customer base, which will take a considerable amount of time and effort.
4. This part of the proposal should occur within the CA/Browser Forum through amendments to the TLS Baseline Requirements, and not via Mozilla Root Store Policy.
5. Why was the number 30 chosen as a sample? Some CA operators issue very few certificates, while some CAs issue millions of certificates.
I welcome your feedback on these points, the random sampling proposal, and any others.
Thanks,
Ben
Hi Ben,About " annual plan testing by revoking 30 randomly chosen certificates within a 5-day timeframe; and"...We understand that this mean that a CA will need to randomly revoke 30 certificates that most likely don't have other reason for being revoked than being randomly chosen and customers will just need to "happily" accept the situation... Harsh, but doable...
About "audit report submitted under section 3.1 SHALL include an attestation that the CA operator has met these mass revocation planning requirements", it must be considered that the attestation letters of Webtrust audit reports have a fixed format, so such addition would be added most likely as a "Other matters" section, that audits can take each differently.
My question here would be if you think it's there any chance that these requirements become part of the TLS BRs instead of the Mozilla Policy, I see several benefits here:- Checking the mass-revocation plan would be integral part of the audit scope, so auditors don't need to figure out how to include it in the reports... it just needs to be added to the audit criteria.- The "inverse-lottery" thing could be added in the revocation timelines of the BR, so there's an entry in the 5-day deadline adding a new category "The certificate has been randomly chosen for revocation during an internal audit". This should facilitate the contractual language to add in the subscriber agreement.
El domingo, 15 de diciembre de 2024 a las 21:51:43 UTC+1, Ben Wilson escribió:All,
The purpose of this email is to start discussion of Mozilla GitHub Issue #276 ("Address Delayed Revocation"). We would like to collect comments and feedback on a proposal to address delayed certificate revocation from a Mozilla perspective. It builds on prior discussions and feedback regarding delayed revocation, and the proposal is meant to replace guidance currently provided on the Mozilla CA wiki.
Here is the comparison link for a proposed new section 6.1.3 in the MRSP:
Summary
Here are the highlights of the proposal:
- Revocation must occur promptly in compliance with the timelines set in section 4.9.1 of the TLS Baseline Requirements (TLS BRs). Mozilla does not grant exceptions to these timelines.
- New CA Obligations:
- Educate subscribers on revocation timelines and discourage reliance on certificates in systems that cannot tolerate timely revocation.
- Include contractual language requiring subscriber cooperation with revocation timelines.
- Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.
- Beginning April 15, 2026, CA audit reports must attest to compliance with the mass revocation planning requirements.
- Delayed revocation incidents must be reported per version 2.1 of the CCADB's Incident Reporting Guidelines (as currently proposed)
- Repeated delayed revocation incidents will result in heightened scrutiny or sanctions, which may include root removal.
Background
Earlier this year, on this list, I proposed an Interim Policy to Address Delayed Revocation. While the proposed interim policy provided clarity, it faced criticism regarding implementation complexity, burden on subscribers and CAs, and the feasibility of associated measures, such as transitioning delayed revocation domains to 90-day certificates. Also, there were subsequent proposals aimed at reducing certificate lifetimes and encouraging automation. See e.g. https://github.com/cabforum/servercert/pull/553.
This new proposal drops proposed measures such as domain-specific tracking and subscriber attestations and instead focuses on subscriber education, mass revocation preparedness, and robust incident reporting as the primary mechanisms for improving agility and transparency regarding delayed revocation.
If adopted, the proposed MRSP § 6.1.3 would replace the current guidance on delayed revocation in Mozilla’s wiki and ensure consistency with the CCADB's Incident Reporting Guidelines.
I welcome your feedback on this draft proposal. Please share your thoughts, questions, or concerns to help us refine and improve it further.
Thanks,
Ben Wilson
Mozilla Root Store
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Ben Wilson
All,
Thanks for your responses thus far.
We agree about the need to ensure that our messaging around timely revocation remains clear and unambiguous.
In response to your comments, we might want to develop and adopt a graduated list of proportionate penalties that CA operators will face in response to delayed revocation (rather than imposing across-the-board requirements on all CAs). This approach will not only be more effective, but also will provide CA operators with clear expectations about the consequences of delayed revocation. A structured list of enforcement measures would create a strong incentive for CAs to adhere to revocation timelines. A "menu of measures" could graduate from minor, first-time incidents to more stringent measures for repeated or egregious violations.
I invite the community to revisit and review all previously suggested measures, suggest new ones, and advise us about this idea of adopting a structured, ordered list of sanctions for CAs that delay revocation.
I look forward to your additional comments and suggestions.
Thanks again,
Ben
[Posting in a personal capacity, per https://wiki.mozilla.org/CA/Policy_Participants]Ben wrote:
> 1. “Mozilla does not grant exceptions…” -- this is the most important signal that Mozilla can provide.I feel compelled to express the view that Mozilla should not provide any guidance beyond this “Mozilla does not grant exceptions” statement. In other words, I think that the non-policy language at https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation should be completely removed. Not updated, not improved, and certainly not incorporated into the MRSP in some way. Completely Removed.I have formed this opinion somewhat reluctantly and primarily because I've observed one CA, despite their error being pointed out multiple times by multiple community members, continually misrepresent the non-policy language at https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation as "Mozilla policy". In one comment, that CA made the bogus claim that "the current Mozilla policy has language that allows for delayed revocation". Despite now recognizing that delayed revocation "violates the Mozilla policy based on the fact that Mozilla states that CAs are expected to comply with the BRs", that CA seems to want to bury that uncomfortable truth of the "most important signal" beneath Issue #276, writing "We continue to appreciate Ben's efforts to lead a productive discussion on potential policy changes in this area, and would prefer that people spend their efforts on moving such discussions forward".Furthermore, by my count there were 30 "leaf-revocation-delay" bugs opened against 20 CA Owners during 2024. My recollection is that most of these revocations were delayed by choice rather than by accident. I wonder how many of these CAs have misinterpreted https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation as a "get out of jail free card", despite the already clear assertion on that wiki page that "Mozilla does not grant exceptions to the BR revocation requirements"?Based on events so far, my conclusion is this: however well intentioned it might be, the mere existence of any language that attempts to regulate CA responses to delayed revocation incidents drowns out that "most important signal" and consequently risks doing more harm than good. IMHO, that risk can only be mitigated if that language is Completely Removed.> New CA Obligations:
> - Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.Please note that there are CAs that do correctly understand that "Mozilla does not grant exceptions" and that do always strive to adhere to the mandatory BR revocation deadlines. Why should these rule-abiding CAs and their subscribers be burdened with this proposed random revocation requirement? This seems unfair, in my view.Martijn asked if it would be "fairer to only impose this random revocation requirement on those CAs that have actually had delayed revocation incidents". I think that this would not only be fairer but might also act as a deterrent against CAs delaying revocations in the first place!
From: 'Ben Wilson' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org>
Sent: 18 December 2024 17:17
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
Matt Palmer
> [Posting in a personal capacity, per https://wiki.mozilla.org/CA/Policy_Participants]
> Ben wrote:
> > New CA Obligations:
> > - Maintain and test mass revocation plans annually, including the revocation of 30 randomly chosen certificates within a 5-day period.
>
> Please note that there are CAs that do correctly understand that
> "Mozilla does not grant exceptions" and that do always strive to
> adhere to the mandatory BR revocation deadlines.
and effectiveness, to adhere to the revocation requirements.
Nevertheless, issues do occur across even CAs that are presumably
striving hard, as the breadth of CAs represented in the list of historic
revocation failure bugzilla issues highlights. The list of prominent
CAs who have had a delayed revocation incident appears much longer than
the list of prominent CAs that haven't. I would not presume to accuse
every CA on that list of not striving to adhere to the mandatory
deadlines at the time of their respective incidents.
> Why should these
> rule-abiding CAs and their subscribers be burdened with this proposed
> random revocation requirement? This seems unfair, in my view.
atrophy, and so when it turns out to be needed, it does not perform as
well as would be hoped.
During the time I was actively monitoring for BR violations identified
by the Pwnedkeys Revokinator, I found (and reported) multiple cases,
from otherwise (presumably) rule-abiding CAs. It was from this
experience that I first came up with the idea of proactive revocation
requests. Even the best CAs have deficiencies and limitations in their
processes and systems, and it is only by regularly exercising the
processes and systems in a variety of ways will those deficiencies and
limitations be identified, and hence (hopefully) fixed.
That's why I support random revocation requirements for *all* CAs --
because it is practically axiomatic that all CAs' systems will be
less-than-perfect, with problems that have lain dormant, and are only
identified by real-world, end-to-end testing. And that's even before we
start considering the subscriber-level problems out there...
On the subject of being "burdened" by additional requirements, I'd
respond that all regulation is a "burden", and that's just part and
parcel of participating in a regulated industry. CA behaviour has
highlighted a deficiency in the regulatory framework, and that is now
being addressed. If there is a "lighter touch" regulation that could
achieve the same outcomes (identify deficiencies in CA revocation
processes before they turn into massive, real-world problems), I'm sure
Mozilla would seriously consider it. But "don't enhance the regulations
because they would be a burden to the regulated" is not an effective
means of achieving safe and reliable systems.
> Martijn asked if it would be "fairer to only impose this random
> revocation requirement on those CAs that have actually had delayed
> revocation
> deterrent against CAs delaying revocations in the first place!
that have historically had problems with their revocation processes, in
a similar vein to "consent decrees" -- once you've demonstrated a
problem, we're going to watch you a bit more closely for a while
afterwards. Along those lines, I'd suggest something like:
-----8<-----
In the 12 months following the closure of each delayed revocation
incident report, Mozilla will verify the CA's process and system
improvements by making a (verified in some appropriate manner)
revocation request to the CA, enumerating a selection of certificates or
other relevant identifiers, chosen in a manner at Mozilla's sole
discretion to reflect the characteristics of the original delayed
revocation incident, of the same magnitude of impact as the original
delayed revocation.
The CA will be expected to process all of the listed identifiers within
the BR-required timeframe which applied to the original delayed
revocation, and failure to do so will be considered a delayed revocation
incident like any other.
----->8-----
For example, if a CA delays revocation on about 10,000 EV certs that
were improperly issued due to improper domain-control validation, then
Mozilla would, at a time of its own choosing within the 12 months after
the original incident is closed, email the CA a list of about 10,000 EV
certs issued by that CA and expect to see them all show up in CRLs and
OCSP responses as "revoked" within 24 hours of the email being received
by the CA's problem reporting address.
As another, slightly more convoluted example, if a CA delays revocation on
some number of certificates due to 10 compromised keys, then Mozilla
would pick 10 public keys used in certificates issued by that CA and
require all certificates that use those key to be revoked, and that the
new certificates not use any of the identified keys.
Mirroring the magnitude of the original delayed revocation both tests
the improvements made to handling the volume of the original incident,
and motivates CAs to put effort into minimising the scope of the
original incident, even if they can't prevent it entirely.
Similarly, requiring the same revocation period as the original incident
tests the same "kind" of incident again, on the presumption that a CA
that couldn't meet a 24 hour deadline the first time *might* still have
been able to meet a five day deadline, so testing a different scenario
is not nearly as useful a test as replicating the original scenario as
closely as possible.
Waiting until after the incident report is closed ensures that the test
a "fair" one, in that it isn't hitting a CA while it's still getting the
ship afloat again. While CAs might try to delay the test by holding the
incident open forever, it'll be compensated for by the poor optics of
having a big list of unresolved incidents -- if an incident's sole
action item was "deploy enhanced certificate linting tool", for example,
and the incident report is still open two years later, one might start
to question the CA's capacity to execute. Eventually that incident's
going to get closed, and if a bunch of big incidents all get closed at
once, that CA's going to have a busy year ahead of them...
I have deliberately made it Mozilla's role to select the certificates
and choose the timing, because as others have mentioned, I have zero
faith that all CAs will honestly select the certificates and timing of
the revocation in a random manner. It is just too easy to put the thumb
on the scales with practically zero chance of being detected, to think
that *someone* won't do it.
As an aside, if Mozilla would like to outsource the reporting and
analysis of test revocations, I happen to have a high-volume revocation
monitoring service that's just itching to be more widely used...
- Matt
Ryan Hurst
I agree with Rob’s point: Mozilla’s clear stance—"Mozilla does not grant exceptions"—is critical. The non-policy guidance on Responding to an Incident has been repeatedly misused by some CAs to justify delayed revocations, despite corrections. Removing this language entirely is the best way to reinforce Mozilla’s expectations and prevent further misuse.
Ryan Hurst
Roman Fischer
>In general, anything that does not get exercised regularly tends to atrophy, and so when it turns out to be needed, it does not perform as well as would be hoped.
>That's why I support random revocation requirements for *all* CAs -- because it is practically axiomatic that all CAs' systems will be less-than-perfect, with problems that have lain dormant, and are only identified by real-world, end-to-end testing. And that's even before we start considering the subscriber-level problems out there...
Kind regards
Roman
Matt Palmer
> Dear Matt,
>
> >In general, anything that does not get exercised regularly tends to
> >atrophy, and so when it turns out to be needed, it does not perform
> >as well as would be hoped.
>
> I agree. However, as far as I remember at least the delayed
> revocations in the past 1-2 years were not due to CAs incapability to
> do mass-revocation but due to CAs believing that weighing customer's
> claims of negative effects of revocation against complying to the
> mandatory revocation times was acceptable
mass-revocation incidents, there are plenty of others that have
different causes.
> >That's why I support random revocation requirements for *all* CAs --
> >because it is practically axiomatic that all CAs' systems will be
> >less-than-perfect, with problems that have lain dormant, and are only
> >identified by real-world, end-to-end testing. And that's even before
> >we start considering the subscriber-level problems out there...
>
> If testing CAs mass-revocation process is the goal, then we could just
> put a requirement in the BRs.
event, as the word "Baseline" in the name "Baseline Requirements"
implies, the existence of the BRs does not preclude Mozilla from
imposing additional requirements on its program participants.
> Auditors would then check if CAs did mass-revocation tests.
auditors to prevent incidents, one which is not borne out by history.
> Such tests don't have to be done on productive
> public trusted certificates to prove that the process works. 😊
certificates, because otherwise you're not doing a full end-to-end test
of the process as used by real revocation requests. And I can tell you,
categorically, with receipts[1], that real world third-party end-to-end
testing of such processes finds real problems.
- Matt
[1] https://bugzilla.mozilla.org/buglist.cgi?email1=Palmer&emailreporter1=1&resolution=FIXED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&order=Importance&bug_status=RESOLVED&component=CA%20Certificate%20Compliance&product=CA%20Program&query_format=advanced&emailtype1=substring
Suchan Seo
Matt Palmer
> Wouldn't fixed 30 certificates per CA cause smaller CA just spam load
> genenrate test certificates on production envirement to delude chance to it
> actually hit acutal client?
extensive evidence (which, I will note, a CA-driven "random" choice
protocol does not), and if such evidence was found and brought to light
publicly, I expect it would not reflect well on the CA involved.
Also, in the protocol I proposed, as Mozilla has full discretion over
the the criteria by which certificates are chosen for a revocation test,
it does not have to select those certificates entirely at random. It
could identify certificates issued for the purposes you describe, and
just not include such certificates in the list of those to be revoked.
- Matt
Ben Wilson
URL: https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation
Goals: Mozilla’s goals are: to ensure that revocation occurs as swiftly as possible while maintaining the overall security and stability of the web; to reduce delayed revocation incidents to the greatest extent possible; to improve delayed revocation incident reports; and to gather better information on those cases where delayed revocation occurs.
Date to Go Live: January 17, 2025
Revocation
Mozilla’s Expectations on Revocation
CA operators MUST revoke misissued or otherwise problematic TLS server certificates within 24 hours or 5 days, depending on the circumstances set forth in section 4.9.1 of the CA/Browser Forum’s TLS Baseline Requirements (TLS BRs). Mozilla does not grant exceptions to the revocation requirements of the TLS BRs.
To ensure compliance with the TLS BRs, Mozilla requires that CA operators:
engage in proactive communication and advise subscribers well in advance about the revocation timelines and explicitly warn them against using publicly-trusted TLS server certificates on systems that cannot tolerate timely revocation;
include appropriate language in customer agreements requiring subscribers’ timely cooperation in meeting revocation timelines and acknowledging the CA’s obligations to adhere to applicable policies and standards;
prepare and maintain credible plans to address mass revocation events, including detailed procedures for handling mass revocations effectively, including rapid communication with affected parties and conducting annual plan testing; and
engage a third party assessor to evaluate whether the CA Operator has:
credible plans to handle mass revocation events;
tested the operational effectiveness of the plans, including the accuracy and adequacy of documentation of plan testing, including timelines, results, and remediation steps; and
incorporated feedback from such exercises to improve future readiness.
Incident Reporting
The CCADB incident reporting process ensures the Web PKI community is informed and that issues are tracked and resolved effectively. Clear and timely communication fosters trust and accountability, mitigating risks to the ecosystem.
If a CA operator determines that it might delay revocation of certificates beyond the time period required by the TLS BRs, it MUST file a preliminary incident report with a Summary section immediately in Bugzilla, even if the delay has not yet occurred.
Such delayed revocation incident reports SHOULD be updated at least every 3 days and MUST be updated no less frequently than every 7 days to describe a summary of:
the number of certificates that have been revoked;
the number of certificates that have not yet been revoked;
the number of certificates planned for revocation that have expired; and
an estimate for when all remaining revocations will be completed.
Consistent with CCADB incident reporting requirements, in the “Analysis” section, the CA operator SHALL explain in the Analysis section of the incident report those factors and rationales behind the decision to delay revocation (including detailed and substantiated explanations of how extensive harm would result to third parties–such as essential public services or widely relied-upon systems–and why the situation is exceptionally rare and unavoidable).
Also, the Timeline section should include the time(s) at which the CA Operator actually completed revocation of affected certificates, and the Action Items list MUST include steps reasonably calculated to prevent or reduce future revocation delays.
Consequences of Delayed Revocations
Failing to meet the standards of timely revocation erodes trust in the Web PKI and poses risks to global internet security. Delayed revocation is a measure of last resort and MUST not be used routinely. Repeated incidents of delayed revocation without sufficient justification will result in heightened scrutiny and sanctions, including removal of the CA from the Mozilla Root Store. CA operators must also adhere to the policies and revocation requirements of other Root Store Programs that include their CA certificates. Additionally, all delayed revocation incidents MUST be listed as findings in the CA operator’s next TLS BR audit statement.
Rob Stradling
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: MRSP 3.0: Issue #276: Delayed Revocation
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Ben Wilson
> Delayed revocation is a measure of last resort and MUST not be used routinely.
Hi Ben. One nit: That "not" should be capitalized.
Sent: 13 January 2025 17:00
--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
Ben Wilson
All,I have posted a replacement wiki page and created a GitHub commit to address this issue.Please let me know of any comments or suggestions.Thanks,Ben
On Monday, January 13, 2025 at 11:31:36 AM UTC-7 r...@sectigo.com wrote:
> Delayed revocation is a measure of last resort and MUST not be used routinely.
Hi Ben. One nit: That "not" should be capitalized.
Sent: 13 January 2025 17:00
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscribe...@mozilla.org.