info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Proposed change to CA contact policy
237 views
Skip to first unread message
Gervase Markham
Oct 9, 2017, 6:41:53 AM10/9/17
to mozilla-dev-s...@lists.mozilla.org
The CCADB stores a couple of different types of "contact" records:
* Primary POC (1 or more): someone who is "authorized to speak for and
to bind the CA that they represent."
* POC (0 or more): Another contact at that CA.
* Email Alias (1 or 2): defined as "more likely to continue working as
personnel change".
All are per-organization values, and I don't believe any of them are
published. However, this then leads to a question about which contacts
should be used in what circumstances.
The Common CCADB Policy says:
"Notification of security and audit-related issues will be emailed to
all POCs and the email aliases; CAs are advised to supply sufficient
POCs that will enable them to respond to an issue promptly."
This is a bit of an administrative pain.
The proposal is to change things to put the burden of ensuring the
appropriate distribution of messages on to the CA. In future, we would
just email the first email alias; CAs are responsible for making sure
that value is a mailing list which goes to all appropriate parties or
systems necessary to provide a timely response.
Any objections?
Gerv
* Primary POC (1 or more): someone who is "authorized to speak for and
to bind the CA that they represent."
* POC (0 or more): Another contact at that CA.
* Email Alias (1 or 2): defined as "more likely to continue working as
personnel change".
All are per-organization values, and I don't believe any of them are
published. However, this then leads to a question about which contacts
should be used in what circumstances.
The Common CCADB Policy says:
"Notification of security and audit-related issues will be emailed to
all POCs and the email aliases; CAs are advised to supply sufficient
POCs that will enable them to respond to an issue promptly."
This is a bit of an administrative pain.
The proposal is to change things to put the burden of ensuring the
appropriate distribution of messages on to the CA. In future, we would
just email the first email alias; CAs are responsible for making sure
that value is a mailing list which goes to all appropriate parties or
systems necessary to provide a timely response.
Any objections?
Gerv
okaphone.e...@gmail.com
Oct 9, 2017, 8:26:33 AM10/9/17
to mozilla-dev-s...@lists.mozilla.org
CU Hans
Nick Lamb
Oct 9, 2017, 11:33:39 AM10/9/17
to mozilla-dev-s...@lists.mozilla.org
On Monday, 9 October 2017 11:41:53 UTC+1, Gervase Markham wrote:
> Any objections?
One nice thing about the current situation is that CAs are permitted (though not obliged) to arrange robustness against technical failure.
If the only official way to contact Honest Achmed's CA is to email ach...@honestca.example, and then whoops, honestca.example have a SMTP server outage or they get blacklisted by the email provider we use unknown to us, or a million other things happen, we can't contact Achmed at all.
Right now, if Achmed is worried about that he can list ach...@gmail.com, and os...@hotmail.com (Achmed's cousin Osman still uses Hotmail in 2017) and so on, and Mozilla has a better chance to actually reach somebody. Yes it's more hassle, but handling _that_ part is surely something Mozilla could worry about?
> Any objections?
One nice thing about the current situation is that CAs are permitted (though not obliged) to arrange robustness against technical failure.
If the only official way to contact Honest Achmed's CA is to email ach...@honestca.example, and then whoops, honestca.example have a SMTP server outage or they get blacklisted by the email provider we use unknown to us, or a million other things happen, we can't contact Achmed at all.
Right now, if Achmed is worried about that he can list ach...@gmail.com, and os...@hotmail.com (Achmed's cousin Osman still uses Hotmail in 2017) and so on, and Mozilla has a better chance to actually reach somebody. Yes it's more hassle, but handling _that_ part is surely something Mozilla could worry about?
Matthew Hardeman
Oct 9, 2017, 1:04:32 PM10/9/17
to mozilla-dev-s...@lists.mozilla.org
Gervase Markham
Oct 11, 2017, 6:51:37 AM10/11/17
to Matthew Hardeman
On 09/10/17 18:04, Matthew Hardeman wrote:
> Echoing Mr. Lamb's concern, I would think that defining two
> "important notice role/mailing list recipient addresses" and always
> sending important notices to both. This would allow for a mailing
> list on CA internal infrastructure as well as one on external
> infrastructure.
Kathleen now says she would prefer to email the Primary POCs and CC the
> Echoing Mr. Lamb's concern, I would think that defining two
> "important notice role/mailing list recipient addresses" and always
> sending important notices to both. This would allow for a mailing
> list on CA internal infrastructure as well as one on external
> infrastructure.
email aliases. Handily, this allows for what you suggest. So consider
the proposal changed to that.
Gerv
Gervase Markham
Oct 16, 2017, 6:38:45 AM10/16/17
to Matthew Hardeman
On 11/10/17 11:50, Gervase Markham wrote:
> Kathleen now says she would prefer to email the Primary POCs and CC the
> email aliases. Handily, this allows for what you suggest. So consider
> the proposal changed to that.
Or rather, email the primary POCs and CC the first email alias.
> Kathleen now says she would prefer to email the Primary POCs and CC the
> email aliases. Handily, this allows for what you suggest. So consider
> the proposal changed to that.
Gerv
0 new messages