Each CA is required (under the BRs) to provide public information on how to
submit certificate problem reports, including mis-issued certificates. The
only way to properly notify the CA is through that mechanism as those are
monitored 24 hours. CAs participating on the list usually have a couple of
reps who monitor and participate, but not 24x7. I do agree there should be
penalties for missing the 24 hour requirement to give the BRs a bit more
teeth, but those penalties should be based on the proper notice process
being followed.
I would also love to see a more standardized notice mechanism that is
universal to all CAs. Right now, notifying CAs is a pain as some have
different webforms, some use email, and some don't readily tell you how to
contact them about certificate problems.
Jeremy
-----Original Message-----
From: dev-security-policy
[mailto:
dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla
.org] On Behalf Of Alex Gaynor via dev-security-policy
Sent: Tuesday, July 25, 2017 10:58 AM
To: Alex Gaynor <
alex....@gmail.com>
Cc:
mozilla-dev-s...@lists.mozilla.org
Subject: Re: Miss-issuance: URI in dNSName SAN
Following up on this (and really several other threads). The BRs require
mis-issued certs to be revoked with 24 hours of the CA becoming aware. CAs
are required to track m.d.s.p. per the Mozilla Root Policy, so really
notifying this list _ought_ to qualify as notifying the CAs.