On 27/10/16 09:31, Gervase Markham wrote: > On 26/10/16 22:02, Kathleen Wilson wrote: <snip> >> Please see >> https://wiki.mozilla.org/CA:SalesforceCommunity#CA_Community_in_Salesforce >> and let me know if you still think we need to add a sentence to the >> wiki page stating that CAs are expected to maintain this data on an >> ongoing basis. > > Well, like I said, it should be obvious to anyone with half a brain but > explicit is always clearer than implicit. Being explicit also allows us > to set expectations about how quickly the info is updated after events, > e.g. how soon must new intermediates be reported.
+1 Kathleen, >From previous discussions on this list and from reading... https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F ...and other wiki pages, it's obvious to me that you expect CAs to maintain this data on an ongoing basis. However... It was I who suggested to Gerv (at the CABForum F2F last week) that this point needs to be stated to CAs more explicitly. Yes, https://wiki.mozilla.org/CA:SalesforceCommunity is clear, but is it actually fair to assume that all CAs are aware that that wiki page essentially forms part of Mozilla's CA policy? The March 2016 CA Communication said... "Please enter the date by which you plan to complete entering this data into Mozilla's CA Community in Salesforce. The date that you enter must be on or before June 30, 2016." "Respond with the date by which you plan to complete entry into Mozilla's CA Community in Salesforce of the data for all revoked (non-expired) certificates...The date that you enter must be on or before June 30, 2016" ...which made it sound like a one-time census, rather than an ongoing requirement. Whilst I think it's obvious to all CAs that your CA Communications essentially form part of your CA Policy, I suspect it's _not_ obvious to all CAs that the same is true of (at least some of) your wiki pages. So, to ensure that no CA can claim that they didn't know, I'd like to see the "must keep disclosing intermediates to Salesforce on an ongoing basis" requirement explicitly stated: 1. in the next version of the Mozilla CA Policy. 2. in the next CA Communication. >> ~~ Subject: ACTION REQUIRED: Non-Disclosed >> non-technically-constrained Intermediate Certs >> >> Dear Certification Authority, >> >> You are receiving this email because our records indicate > > Well, Rob Stradling's records indicate :-) We might instead say that > "because we have become aware" +1 It's great that folks are finding https://crt.sh/mozilla-disclosures useful, but clearly it's not an authoritative Mozilla data source. Trust, but verify. :-) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
