On 5/20/14, 2:45 PM, Kurt Roeckx wrote:
On Tue, May 20, 2014 at 01:18:10PM -0700, Kathleen Wilson wrote:
Another approach is to file a Bugzilla bug for each CA who is issuing new
certs with the problems Mozilla cares about (i.e. the things I listed).
You can file the bug as
https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates
The bug will get assigned to me, and I can add the corresponding CA person
to the bug.
Will those bugs be open to the public, or will this depend on you
making them public?
Kurt
It depends on what you put in the bug. You could just put information in
the bug about which intermediate certificates chaining up to that root
have issued certs with problems, list the specific problems, and request
that the CA update their certificate issuance process to eliminate those
problems (i.e. to become compliant with the BRs). If needed, the CA
could follow up with you directly to request specific examples.
If you need to put customer website/cert information into the bug, then
it might be courteous to the customer to restrict access to the bug.
When you create the bug there's a checkbox at the bottom of the page:
"Security: Restrict access to this bug to members of the "Confidential
Mozilla Employee Bug" group."
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
