Mozilla's guidance for incident response lives at https://wiki.mozilla.org/CA/Responding_To_An_Incident
I just made some significant changes to the Revocation section that reflect the approach we took with the recent underscore sunset. Most notably, the following paragraph: However, it is not our intent to introduce additional problems by forcing > the immediate revocation of certificates that are not BR-compliant when > they do not pose an urgent security concern. Therefore, we request that > your CA perform careful analysis of the situation. If there is > justification to not revoke the problematic certificates, then your report > will need to explain those reasons and provide a timeline for when the bulk > of the certificates will expire or be revoked/replaced. > Has been replaced with: Mozilla recognizes that in some exceptional circumstances, revoking > misissued certificates within the prescribed deadline may cause significant > harm, such as when the certificate is used in critical infrastructure and > cannot be safely replaced prior to the revocation deadline. However, > Mozilla does not grant exceptions to the BR revocation requirements. It is > our position that your CA is ultimately responsible for deciding if the > harm caused by following the requirements of BR section 4.9.1.1 outweighs > the risks created by choosing not to meet this requirement. > Additions have also been made to our expectations when a CA doesn't revoke on time, along with a number of minor updates. You can view a comparison of all the changes at https://wiki.mozilla.org/index.php?title=CA%2FResponding_To_An_Incident&type=revision&diff=1207675&oldid=1185707 I will greatly appreciate everyone's feedback on these changes. - Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
