On 18/4/2018 9:50 μμ, Wayne Thayer via dev-security-policy wrote:
On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via
dev-security-policy <[email protected]> wrote:
On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote:
Having to go through captchas to even get the email sent is just another
obstacle in getting the CA a timely certificate problem report
Nowadays, people deal with captchas all the time in various popular web
sites. I don't understand this argument. Is someone wants to file a
certificate problem report, they will take the extra "seconds" to pass the
"I am not a robot" test :)
The arguments for email are:
When I wrote "I don't understand this argument" it was meant for the
"having to go through captchas". Sorry, it wasn't very clear.
1 - it's easier. I have seen CAs use generic "support request" forms that
are difficult to decipher, especially when not in one's native language.
2 - It scales better. When someone is trying to report the same problem to
a number of CAs, one email is better than filling out a bunch of forms
3 - It automatically creates a record of the submission. Many forms provide
the user no confirmation unless they remember to take a timestamped screen
shot.
Despite the arguments for email, there are equally good arguments for
web form submission. IMHO, both should be allowed. A CA could start with
email but if the spam volume becomes out of control, the CA might switch
to a web form solution and all we need to do is define the minimum
"properties" of such a solution. In all cases, CAs should maintain
up-to-date information for Certificate Problem Report submission methods
in CCADB.
Mail servers receive tons of SPAM everyday and an email address target is
a very easy target for popular CAs. We should also consider the possibility
of accidental "spam labeling" of a certificate problem report via email.
I believe CAs should include the necessary information for receiving
Certificate Problem Reports in section 1.5.2 of their CP/CPS and this
should be required by the Mozilla Policy for consistently. The same applies
for the "high-priority" Certificate Problem Reports as mandated in 4.10.2
of the BRs.
I plan to introduce a CAB Forum ballot for the 1.5.2 disclosure
requirement. I disagree with the suggestion that Mozilla policy should
duplicate the BRs "for consistency", but since Mozilla policy has a broader
scope than the BRs (email certificates), I will plan to add this
requirement.
Currently the BRs don't mandate listing this particular information in
1.5.2, so there is no consistency among CAs. So far, CCADB has the best
collection of this information and this was initiated by Mozilla in the
April 2017 CA Communication.
Historically, Mozilla had policies that passed on to the BRs and once
they were in the BRs, they were removed from the Mozilla policy as
duplicates :). We would support a ballot that would require CP/CPS
sections 1.5.2 to describe the CA's specific Certificate Problem Report
methods.
Dimitris.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
