info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Incomplete Intermediate Cert Records
88 views
Skip to first unread message
Kathleen Wilson
Aug 5, 2016, 7:32:52 PM8/5/16
to mozilla-dev-s...@lists.mozilla.org
All,
In Salesforce, we have created a report called "Intermediate Certs w/ Missing Audit Info" that is basically the same as
https://crt.sh/mozilla-disclosures#disclosureincomplete
I am planning to have Salesforce automatically send the following email on the second and fourth Tuesday of each month to the Primary POC for each CA owner in the report, and have it CC the CA's email alias.
-- DRAFT --
Dear Certification Authority,
Thank you for entering intermediate certificate data for your root certificates that are included in Mozilla's CA Program into the CA Community in Salesforce.
The Audit and Policies sections have not been filled in completely for some of those intermediate certificates.
Please login to the CA Community in Salesforce, and do the following:
1) See the report listing the intermediate certificate records that need to be updated.
Reports -> CA Community Reports -> "My IntermediateCerts w MissingAuditInfo"
2) For each line item, click on the certificate name (underlined), and edit the record to fill in the missing information.
https://wiki.mozilla.org/CA:SalesforceCommunity#Audit_Information
https://wiki.mozilla.org/CA:SalesforceCommunity#Policies_and_Practices_Information
This is an automated email that will be sent regularly until the audit statement information for the intermediate certificate records has been completed.
Regards,
Kathleen Wilson
Mozilla
CA Program Manager
-- END DRAFT --
As always, I will appreciate your thoughtful and constructive input on this.
Thanks,
Kathleen
In Salesforce, we have created a report called "Intermediate Certs w/ Missing Audit Info" that is basically the same as
https://crt.sh/mozilla-disclosures#disclosureincomplete
I am planning to have Salesforce automatically send the following email on the second and fourth Tuesday of each month to the Primary POC for each CA owner in the report, and have it CC the CA's email alias.
-- DRAFT --
Dear Certification Authority,
Thank you for entering intermediate certificate data for your root certificates that are included in Mozilla's CA Program into the CA Community in Salesforce.
The Audit and Policies sections have not been filled in completely for some of those intermediate certificates.
Please login to the CA Community in Salesforce, and do the following:
1) See the report listing the intermediate certificate records that need to be updated.
Reports -> CA Community Reports -> "My IntermediateCerts w MissingAuditInfo"
2) For each line item, click on the certificate name (underlined), and edit the record to fill in the missing information.
https://wiki.mozilla.org/CA:SalesforceCommunity#Audit_Information
https://wiki.mozilla.org/CA:SalesforceCommunity#Policies_and_Practices_Information
This is an automated email that will be sent regularly until the audit statement information for the intermediate certificate records has been completed.
Regards,
Kathleen Wilson
Mozilla
CA Program Manager
-- END DRAFT --
As always, I will appreciate your thoughtful and constructive input on this.
Thanks,
Kathleen
Ryan Sleevi
Aug 6, 2016, 12:45:10 AM8/6/16
to mozilla-dev-s...@lists.mozilla.org
On Friday, August 5, 2016 at 4:32:52 PM UTC-7, Kathleen Wilson wrote:
> I am planning to have Salesforce automatically send the following email on the second and fourth Tuesday of each month to the Primary POC for each CA owner in the report, and have it CC the CA's email alias.
Kathleen,
> I am planning to have Salesforce automatically send the following email on the second and fourth Tuesday of each month to the Primary POC for each CA owner in the report, and have it CC the CA's email alias.
This may be a separate discussion, but have you considered setting this list as the TO: and having it BCC: the owners, for situations where you have CAs not completing things in a timely manner / as expected?
The downside to these automated emails is it that it's hard for the public to know when CAs are having issues, such as non-compliance, short of re-implementing the same checks using the Salesforce data that's publicly available. By posting to this list (and I'm not sure if the Salesforce system uses a fixed address or not; if not, it may be a bit harder to get it automatically posted publicly), it has a better chance of being part of the permanent record, so that in the future, others can understand what historical issues there were with particular CAs, and how they were resolved.
It also may help put appropriate public pressure to have the issue corrected quickly, which seems like a net-win.
Kurt Roeckx
Aug 6, 2016, 4:21:29 AM8/6/16
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
On Fri, Aug 05, 2016 at 09:44:58PM -0700, Ryan Sleevi wrote:
> On Friday, August 5, 2016 at 4:32:52 PM UTC-7, Kathleen Wilson wrote:
> On Friday, August 5, 2016 at 4:32:52 PM UTC-7, Kathleen Wilson wrote:
> > I am planning to have Salesforce automatically send the following email on the second and fourth Tuesday of each month to the Primary POC for each CA owner in the report, and have it CC the CA's email alias.
>
>
> Kathleen,
>
> This may be a separate discussion, but have you considered setting this list as the TO: and having it BCC: the owners, for situations where you have CAs not completing things in a timely manner / as expected?
>
> The downside to these automated emails is it that it's hard for the public to know when CAs are having issues, such as non-compliance, short of re-implementing the same checks using the Salesforce data that's publicly available. By posting to this list (and I'm not sure if the Salesforce system uses a fixed address or not; if not, it may be a bit harder to get it automatically posted publicly), it has a better chance of being part of the permanent record, so that in the future, others can understand what historical issues there were with particular CAs, and how they were resolved.
>
> It also may help put appropriate public pressure to have the issue corrected quickly, which seems like a net-win.
I guess the same could go for e-mails about reminders that their
>
> This may be a separate discussion, but have you considered setting this list as the TO: and having it BCC: the owners, for situations where you have CAs not completing things in a timely manner / as expected?
>
> The downside to these automated emails is it that it's hard for the public to know when CAs are having issues, such as non-compliance, short of re-implementing the same checks using the Salesforce data that's publicly available. By posting to this list (and I'm not sure if the Salesforce system uses a fixed address or not; if not, it may be a bit harder to get it automatically posted publicly), it has a better chance of being part of the permanent record, so that in the future, others can understand what historical issues there were with particular CAs, and how they were resolved.
>
> It also may help put appropriate public pressure to have the issue corrected quickly, which seems like a net-win.
audit period is over and should put up a new audit report, at
least if they're really late.
Kurt
Ryan Sleevi
Aug 6, 2016, 12:16:51 PM8/6/16
to mozilla-dev-s...@lists.mozilla.org
On Saturday, August 6, 2016 at 1:21:29 AM UTC-7, Kurt Roeckx wrote:
> I guess the same could go for e-mails about reminders that their
> audit period is over and should put up a new audit report, at
> least if they're really late.
Yes, that is precisely why I mentioned it generically.
> I guess the same could go for e-mails about reminders that their
> audit period is over and should put up a new audit report, at
> least if they're really late.
I was thinking that any time a CA has to be proactively notified or reminded of its obligations, there's a public interest value. Kathleen already publishes the responses to surveys, which are very valuable to know when a CA commits to do X, but then fails, but also having the reminders public would further help inform which organizations may be having difficulty operating in a fully trustworthy manner. Sure, mistakes happen, so you wouldn't want to dig out the pitchforks the moment you saw such an email, but if the public is seeing patterns or routine negligence, it would seem appropriate to discuss further steps.
Kathleen Wilson
Aug 11, 2016, 2:08:39 PM8/11/16
to mozilla-dev-s...@lists.mozilla.org
Thanks,
Kathleen
0 new messages