Hi Gerv,
Based on the number of reports reviewed recently, I suspect we've got
opportunities for improvement, but I'm not quite sure yet what the concrete
suggestions on that should look like. A few thoughts below:
- The current report format biases itself towards "misissuance", when we
know there's a spectrum of BR compliance issues that can arise (for
example, the OCSP responders) that don't necessarily involve the
certificates and crt.sh IDs, but on other factors
- I would say that the majority of CAs had difficulty understanding what a
"timeline" was, often providing statements of steps they took, without any
context as to when - either date or time. They also tended to focus on when
the incident was reported to them, without taking into the full
consideration of when the situation causing the incident began.
- For example, if the BRs changed at Date X, and required the CA do
something by Date Y, and they didn't, then it would seem that at least Date
X and Y are relevant to the discussion (and potentially when the change was
first discussed in the CA/B Forum, which often far pre-dates Date X).
Further, if CAs' do audits or annual CPS reviews, understanding those in
the timeline are equally valuable, even when they predate the incident
itself.
- It's unclear the value of the confirmation of non-issuance or resolution.
If the intent is for the CA to make a binding pledge to the community with
respect to their corrective actions, perhaps it should be expanded (and the
consequences of misrepresenting that pledge captured)
- It's unclear what the reasonable expected update period should be when
CAs are taking corrective steps. Weekly updates?
If it helps, Microsoft requires the following of CAs that participate in
its program -
https://social.technet.microsoft.com/wiki/contents/articles/31633.microsoft-trusted-root-program-requirements.aspx#D_CA_Responsibilities_in_the_Event_of_an_Incident
- so one might expect that every CA participating in both programs has such
information available to them, when it's a BR violation.
> _______________________________________________
> dev-security-policy mailing list
>
dev-secur...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security-policy
>