On Fri, Feb 7, 2020 at 11:00 AM Wayne Thayer <[email protected]> wrote:
> I'd like to see Mozilla require an incident report from CAs that can't or > won't follow the existing guidance (by either supplying a revised audit > statement, revoking the certificate, or adding it to OneCRL). A number of > CAs have resolved these issues by following this guidance and I recommend > against adding a grace period at this time for those who have not. > Right, apologies if it wasn't clearer: I was suggesting that the existing guidance be the one granted the grace period (with the expectation that folks follow) Following that grace period, the option becomes revoking the certificate. <snip> > > I realize Mozilla uses OneCRL to address the gap there, but ostensibly this >> is a straight BR violation regarding providing continuous audits. The >> proposed revisions will make this unambiguously clearer, but either way, >> the best path to protect the most users is to require the CA to revoke >> such >> certificates. >> >> This also hopefully has the desired effect of forcing CAs to pay closer >> attention to the requirements placed on them, and ensure that the >> negotiate >> and scope their audits to ensure they’re actually meeting those >> requirements. >> >> > I agree, but I also think that ALV will cause these issues to be caught > and quickly corrected in the future (assuming the CA has properly disclosed > all CA certificates). > I agree, ALV will catch these sooner. I took Kathleen's question to be primarily about "How do we handle CAs that have had undetected problems", and my point is that this should only be temporary. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
