On 18/4/2018 9:50 μμ, Wayne Thayer via dev-security-policy wrote:
> On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via
> dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
>> On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote:
>>
>>> Having to go through captchas to even get the email sent is just another
>>> obstacle in getting the CA a timely certificate problem report
>>>
>> Nowadays, people deal with captchas all the time in various popular web
>> sites. I don't understand this argument. Is someone wants to file a
>> certificate problem report, they will take the extra "seconds" to pass the
>> "I am not a robot" test :)
>>
>> The arguments for email are:
When I wrote "I don't understand this argument" it was meant for the
"having to go through captchas". Sorry, it wasn't very clear.
> 1 - it's easier. I have seen CAs use generic "support request" forms that
> are difficult to decipher, especially when not in one's native language.
> 2 - It scales better. When someone is trying to report the same problem to
> a number of CAs, one email is better than filling out a bunch of forms
> 3 - It automatically creates a record of the submission. Many forms provide
> the user no confirmation unless they remember to take a timestamped screen
> shot.
>
Despite the arguments for email, there are equally good arguments for
web form submission. IMHO, both should be allowed. A CA could start with
email but if the spam volume becomes out of control, the CA might switch
to a web form solution and all we need to do is define the minimum
"properties" of such a solution. In all cases, CAs should maintain
up-to-date information for Certificate Problem Report submission methods
in CCADB.
>> Mail servers receive tons of SPAM everyday and an email address target is
>> a very easy target for popular CAs. We should also consider the possibility
>> of accidental "spam labeling" of a certificate problem report via email.
>>
>>
> I believe CAs should include the necessary information for receiving
>> Certificate Problem Reports in section 1.5.2 of their CP/CPS and this
>> should be required by the Mozilla Policy for consistently. The same applies
>> for the "high-priority" Certificate Problem Reports as mandated in 4.10.2
>> of the BRs.
>>
>> I plan to introduce a CAB Forum ballot for the 1.5.2 disclosure
> requirement. I disagree with the suggestion that Mozilla policy should
> duplicate the BRs "for consistency", but since Mozilla policy has a broader
> scope than the BRs (email certificates), I will plan to add this
> requirement.
Currently the BRs don't mandate listing this particular information in
1.5.2, so there is no consistency among CAs. So far, CCADB has the best
collection of this information and this was initiated by Mozilla in the
April 2017 CA Communication.
Historically, Mozilla had policies that passed on to the BRs and once
they were in the BRs, they were removed from the Mozilla policy as
duplicates :). We would support a ballot that would require CP/CPS
sections 1.5.2 to describe the CA's specific Certificate Problem Report
methods.
Dimitris.