Responding to a misissuance

[Gervase Markham]

I've started a wiki page giving Mozilla expectations and best practices
for CAs responding to a misissuance report. (No idea why I decided to
write that now...)

https://wiki.mozilla.org/CA/Responding_To_A_Misissuance

Comments on whether the content is correct, and what might be missing,
are most welcome.

The idea might be for us (or anyone else, for that matter) to send a
link to this document to CAs along with any misissuance reports.

Gerv

[richm...@gmail.com]

Perhaps some explicit statements about sub-CAs would be helpful - detailing where responsibility lies and how a CA is required to deal with a sub-CA who is found to have misissued.

[Doug Beattie]

And if there is any guidance on processing misissuance reports for Name constrained sub-CA vs. not name constrained, that would be helpful also.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Gervase Markham]

Hi Rich,

Do you specifically mean sub-CAs which are run by someone other than the
CA (and so have their own audits etc.)?

Good idea. What do you think we should say? :-)

Gerv

[Gervase Markham]

On 18/08/17 13:03, Doug Beattie wrote:
> And if there is any guidance on processing misissuance reports for
> Name constrained sub-CA vs. not name constrained, that would be
> helpful also.

What parts of a response do you think might be different for
name-constrained sub-CAs?

Gerv

[Doug Beattie]

> -----Original Message-----
> From: Gervase Markham [mailto:ge...@mozilla.org]
> Sent: Friday, August 18, 2017 9:42 AM
> To: Doug Beattie <doug.b...@globalsign.com>; richm...@gmail.com;
> mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Responding to a misissuance
>

> On 18/08/17 13:03, Doug Beattie wrote:

> > And if there is any guidance on processing misissuance reports for
> > Name constrained sub-CA vs. not name constrained, that would be
> > helpful also.
>

> What parts of a response do you think might be different for name-
> constrained sub-CAs?

Technically constrained CAs need to follow the BRs, but the "damage" they can do is limited to the set of domains they are constrained to, so I had assumed a different process might result. But, given your pointed question, I can’t actually come up with what would be different.

> Gerv

[Gervase Markham]

On 18/08/17 04:37, Gervase Markham wrote:
> I've started a wiki page giving Mozilla expectations and best practices
> for CAs responding to a misissuance report. (No idea why I decided to
> write that now...)
>
> https://wiki.mozilla.org/CA/Responding_To_A_Misissuance

I have now removed the Draft designation from this document. Researchers
who find CA misissuances are welcome to include a link to this page in
their report to the CA, reminding the CA that Mozilla has the documented
expectations.

To be clear on the status of this document: this is a best practices
document, not an official policy, and does not use normative language.
Therefore, failure to follow one or more of the recommendations here is
not by itself sanctionable. However, failure to do so without good
reason may affect Mozilla's general opinion of the CA. Our confidence in
a CA is in part affected by the number and severity of incidents, but it
is also significantly affected by the speed and quality of incident
response.

Researchers may also be interested, if they have not already noticed,
that there is a ballot in preparation in the CAB Forum to adjust the
24-hour revocation rule to something more practical in cases of lower
severity.

Gerv