On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via dev-security-policy <[email protected]> wrote:
> On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote: > >> Having to go through captchas to even get the email sent is just another >> obstacle in getting the CA a timely certificate problem report >> > > Nowadays, people deal with captchas all the time in various popular web > sites. I don't understand this argument. Is someone wants to file a > certificate problem report, they will take the extra "seconds" to pass the > "I am not a robot" test :) > > The arguments for email are: 1 - it's easier. I have seen CAs use generic "support request" forms that are difficult to decipher, especially when not in one's native language. 2 - It scales better. When someone is trying to report the same problem to a number of CAs, one email is better than filling out a bunch of forms 3 - It automatically creates a record of the submission. Many forms provide the user no confirmation unless they remember to take a timestamped screen shot. > Mail servers receive tons of SPAM everyday and an email address target is > a very easy target for popular CAs. We should also consider the possibility > of accidental "spam labeling" of a certificate problem report via email. > > I believe CAs should include the necessary information for receiving > Certificate Problem Reports in section 1.5.2 of their CP/CPS and this > should be required by the Mozilla Policy for consistently. The same applies > for the "high-priority" Certificate Problem Reports as mandated in 4.10.2 > of the BRs. > > I plan to introduce a CAB Forum ballot for the 1.5.2 disclosure requirement. I disagree with the suggestion that Mozilla policy should duplicate the BRs "for consistency", but since Mozilla policy has a broader scope than the BRs (email certificates), I will plan to add this requirement. > > Dimitris. > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
