On 29/07/2019 21:52, Andrew Ayer via dev-security-policy wrote: > On Wed, 24 Jul 2019 16:41:53 +0000 > Rob Stradling via dev-security-policy > <[email protected]> wrote: > >> [Wearing crt.sh hat] >> >> https://crt.sh/mozilla-disclosures now has two new buckets: >> - Disclosed, but with Inconsistent Audit details >> - Disclosed, but with Inconsistent CP/CPS details >> >> (I started discussing this new feature with Kathleen, Wayne and >> Sleevi off-list a few months ago, but I was not able to finish >> implementing it until a few days ago). >> >> I've also made the checks for the "Disclosure Incomplete" bucket >> stricter. Missing/incomplete disclosures of BR and/or EV audits are >> now flagged. > > Thanks, Rob. This is a really valuable feature.
:-) > I noticed some false positives, for example where one disclosure URL > refers directly to the CP/CPS and the other refers to a repository > page which links to the CP/CPS. crt.sh simply checks whether or not the CP and CPS URLs exactly match across all CCADB records for the same Subject CA. I can't think of any good reason why these URLs would ever need to not match. > Perhaps it's time to require CAs to > disclose the URL of the actual CP/CPS rather than a repository page, as > discussed a few months ago: I think this is a reasonable thing to ask for, at least in principle. It's currently only possible for CAs to update the CP/CPS URLs in their CCADB Root Certificate records by opening a "CA Audit Update Request" Case. (Each CCADB Root Certificate page says "CAs cannot modify data for the Root Certificate records. It is verified and maintained by root store operator.") Practically, I believe this means that CAs can currently only disclose (changes to) CP/CPS URLs to the CCADB on an annual basis. Given that https://www.ccadb.org/policy says (emphasis mine) "The URLs to such CPs, CPSes...need to be updated *as new information become available*", ISTM that CAs cannot currently use different URLs for different versions of their CP/CPS (as some CAs do) unless they restrict themselves to only updating their CP/CPS once a year, immediately prior to opening a "CA Audit Update Request" Case. Requiring non-versioned CP/CPS URLs that point directly to the current CP/CPS document (rather than a repository page) could work though, I think. Alternative idea: Set up a GitHub repository (managed by the CCADB root store operators) that will hold CP/CPS documents. Require CAs to disclose each new CP/CPS document by submitting a Pull Request. > https://groups.google.com/d/msg/mozilla.dev.security.policy/DyF-5NcYpJI/UNoF46XXAgAJ > > Regards, > Andrew -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
