On Mon, Mar 2, 2020 at 2:07 AM Matt Palmer via dev-security-policy < [email protected]> wrote:
> > However, I get the feeling that you don’t put much stock into incident > > reports and browsers dim view of shenanigans. That might be worth > expanding > > upon, if you believe the incident reporting process is not adequately > > protecting users or balancing tradeoffs. > > No, it's not that. I like the incident report system, and Mozilla does a > reasonable job of enforcing what rules there already are. It's just that > CAs > often argue that they didn't *know* that doing a bad thing was bad because > the rules didn't *say* that it was a bad thing, and when I started > operating > in this area I found something that I thought was potentially a loophole, > and I wanted to discuss it before standing up and shouting "HOUSTON WE HAVE > AN INCIDENT!" -- because *that* is the sort of thing that devalues the > incident reporting system. > I agree, there's a disconcerting trend reappearing of CAs using ignorance as a justification, especially when they've been amply and exhaustively discussed here. You should feel free if/as you see that, in incident reports and Bugzilla, to call it out with references to earlier discussions. Starting this thread, for example, is extremely useful, so thanks for doing that :) > > I ask this because I accidentally sent a couple of compromise > notifications > > > with an incorrect URL. While one notification got what appeared to be > a > > > human saying "we'll look into it" (which itself was sent more than 24 > hours > > > after I received the corresponding auto-ack), others have been greeted > with > > > complete radio silence (other than the auto-ack). This seems... > > > sub-optimal. > > > > Did you use the CPS documented problem reporting mechanism? > > I've been using the "Report a problem" data from crt.sh, which is > populated, > I believe, from CCADB. I just checked the CPS of the two CAs at issue, and > in both cases the initial reports were sent to the correct e-mail address. > Yeah. Unfortunately, the CCADB information is not "binding" on CAs yet; that is, while it's self-reported, it doesn't become an auditable violation if a CA fails to respond promptly. This does create an unfortunate and understandable gap in accountability, and so double checking with the CP/CPS is definitely the right path before declaring an incident. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
