On Thu, Feb 6, 2020 at 5:44 PM Ryan Sleevi via dev-security-policy < [email protected]> wrote:
<snip> My recommendation is that, for audit periods ending within the next 30 or > so days (meaning, effectively, for reports provided over the next 4 months, > given the three month window before reporting), such situations are > accepted despite the limited assurance they provide. Following that - that > is, for any audit afterwards, there is zero exception, and revocation is > required. > > I'd like to see Mozilla require an incident report from CAs that can't or won't follow the existing guidance (by either supplying a revised audit statement, revoking the certificate, or adding it to OneCRL). A number of CAs have resolved these issues by following this guidance and I recommend against adding a grace period at this time for those who have not. This places the onus on the CA to ensure their audit reports will meet > Mozilla’s requirements. > > In the future, I expect ALV to catch these issues as soon as the audit report is published. Mistakes do happen, and I don't think our policy should go straight to revocation upon an ALV failure due to an audit statement error. 2) Should we accept a revised audit statement to include the SHA256 > > fingerprint of a certificate that was not previously listed and does not > > have the same Subject + SPKI as other cert(s) listed in the audit > > statement? > > <snip> I realize Mozilla uses OneCRL to address the gap there, but ostensibly this > is a straight BR violation regarding providing continuous audits. The > proposed revisions will make this unambiguously clearer, but either way, > the best path to protect the most users is to require the CA to revoke such > certificates. > > This also hopefully has the desired effect of forcing CAs to pay closer > attention to the requirements placed on them, and ensure that the negotiate > and scope their audits to ensure they’re actually meeting those > requirements. > > I agree, but I also think that ALV will cause these issues to be caught and quickly corrected in the future (assuming the CA has properly disclosed all CA certificates). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
