info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
High traffic on this list, and Mozilla root program involvement
388 views
Skip to first unread message
Gervase Markham
Aug 8, 2017, 12:03:08 PM8/8/17
to mozilla-dev-s...@lists.mozilla.org
Hi everyone,
Wow, traffic on this group has exploded :-) Thank you to everyone who
has been bringing incidents to our attention.
Clearly, many of these items need official responses and action from
representatives of the Mozilla root program. I have been on holiday
quite a lot recently, and that includes this week, and any time I have
had has been fighting fires relating to my other responsibilities and
requirements placed on me. But please rest assured, all this has not
been forgotten.
In the mean time, I would hope CAs would be picking up incidents
relating to themselves, doing investigations and publishing
best-practice-style incident reports here once those investigations were
concluded. I probably need to write a wiki page on this, but in brief
best practice involves much more than "we revoked the certificates
concerned", it needs to say "this is how this happened", and "this is
what we've done/are doing to make sure it won't happen again".
Gerv
Wow, traffic on this group has exploded :-) Thank you to everyone who
has been bringing incidents to our attention.
Clearly, many of these items need official responses and action from
representatives of the Mozilla root program. I have been on holiday
quite a lot recently, and that includes this week, and any time I have
had has been fighting fires relating to my other responsibilities and
requirements placed on me. But please rest assured, all this has not
been forgotten.
In the mean time, I would hope CAs would be picking up incidents
relating to themselves, doing investigations and publishing
best-practice-style incident reports here once those investigations were
concluded. I probably need to write a wiki page on this, but in brief
best practice involves much more than "we revoked the certificates
concerned", it needs to say "this is how this happened", and "this is
what we've done/are doing to make sure it won't happen again".
Gerv
Jeremy Rowley
Aug 8, 2017, 7:12:42 PM8/8/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
Do you want that added as a new bug for all the issues listed?
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Gervase Markham
Aug 9, 2017, 11:34:57 AM8/9/17
to mozilla-dev-s...@lists.mozilla.org
On 09/08/17 00:12, Jeremy Rowley wrote:
> Do you want that added as a new bug for all the issues listed?
I'm not sure I follow. Do I want what added?
> Do you want that added as a new bug for all the issues listed?
I will be filing any additional appropriate bugs when I get around to
triaging all the messages in this forum.
Gerv
Jeremy Rowley
Aug 9, 2017, 4:58:08 PM8/9/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
I was thinking you should just have the Cas add them all for you. Makes it
easier on you and demonstrates they are tracking and remediating these
issues. If I were going to create a bug for these in Mozilla would you
prefer to see one bug per issue on one bug per CA. For example, should there
be a bug for all DigiCert issues or should there be one that describes too
long of serial number and another that says the field contains meta-data?
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla
.org] On Behalf Of Gervase Markham via dev-security-policy
easier on you and demonstrates they are tracking and remediating these
issues. If I were going to create a bug for these in Mozilla would you
prefer to see one bug per issue on one bug per CA. For example, should there
be a bug for all DigiCert issues or should there be one that describes too
long of serial number and another that says the field contains meta-data?
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla
.org] On Behalf Of Gervase Markham via dev-security-policy
Sent: Wednesday, August 9, 2017 9:34 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: High traffic on this list, and Mozilla root program involvement
On 09/08/17 00:12, Jeremy Rowley wrote:
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: High traffic on this list, and Mozilla root program involvement
On 09/08/17 00:12, Jeremy Rowley wrote:
> Do you want that added as a new bug for all the issues listed?
I'm not sure I follow. Do I want what added?
I will be filing any additional appropriate bugs when I get around to
triaging all the messages in this forum.
I will be filing any additional appropriate bugs when I get around to
triaging all the messages in this forum.
Gervase Markham
Aug 10, 2017, 2:40:14 AM8/10/17
to Jeremy Rowley
Hi Jeremy,
On 09/08/17 21:57, Jeremy Rowley wrote:
> I was thinking you should just have the Cas add them all for you. Makes it
> easier on you and demonstrates they are tracking and remediating these
> issues. If I were going to create a bug for these in Mozilla would you
> prefer to see one bug per issue on one bug per CA. For example, should there
> be a bug for all DigiCert issues or should there be one that describes too
> long of serial number and another that says the field contains meta-data?
That is a good point. Thank you for the suggestion.
I would like one bug per root cause, ideally, but as bugs can be more
easily duplicated against each other than split, err on the side of one
bug per issue if the root causes have not been determined with
sufficient clarity yet.
If CAs wish to file bugs about their own issues, they should do so here:
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance
(We use the term "mis-issuance" broadly here.) Please include in the
initial comment at least a full copy of the original report from this
group, although you may elide details of certificates from other CAs.
Gerv
On 09/08/17 21:57, Jeremy Rowley wrote:
> I was thinking you should just have the Cas add them all for you. Makes it
> easier on you and demonstrates they are tracking and remediating these
> issues. If I were going to create a bug for these in Mozilla would you
> prefer to see one bug per issue on one bug per CA. For example, should there
> be a bug for all DigiCert issues or should there be one that describes too
> long of serial number and another that says the field contains meta-data?
I would like one bug per root cause, ideally, but as bugs can be more
easily duplicated against each other than split, err on the side of one
bug per issue if the root causes have not been determined with
sufficient clarity yet.
If CAs wish to file bugs about their own issues, they should do so here:
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance
(We use the term "mis-issuance" broadly here.) Please include in the
initial comment at least a full copy of the original report from this
group, although you may elide details of certificates from other CAs.
Gerv
Kathleen Wilson
Aug 15, 2017, 1:14:46 PM8/15/17
to mozilla-dev-s...@lists.mozilla.org
All,
While I understand the desire to normally have one Bugzilla Bug per root cause per CA, I do not have the bandwidth to do this.
So, I am going to create one bug per CA that I find in the recent m.d.s.policy posts, and list all of the problems pertaining to that CA in their bug.
Thanks to all of you for all of your efforts towards cleaning up the CA ecosystem. It has and will take a lot of work, but I greatly appreciate the forward momentum.
For those of you awaiting response from me to your emails, please be patient as I am going to work on this for a while. (my inbox is a mess, so if there is anything urgent please put URGENT at the beginning of the email subject)
Cheers,
Kathleen
While I understand the desire to normally have one Bugzilla Bug per root cause per CA, I do not have the bandwidth to do this.
So, I am going to create one bug per CA that I find in the recent m.d.s.policy posts, and list all of the problems pertaining to that CA in their bug.
Thanks to all of you for all of your efforts towards cleaning up the CA ecosystem. It has and will take a lot of work, but I greatly appreciate the forward momentum.
For those of you awaiting response from me to your emails, please be patient as I am going to work on this for a while. (my inbox is a mess, so if there is anything urgent please put URGENT at the beginning of the email subject)
Cheers,
Kathleen
0 new messages