> On Aug 8, 2017, at 10:36, David E. Ross via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> On 8/7/2017 8:09 PM, Jonathan Rudenberg wrote:
>>> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy 
>>> <dev-security-policy@lists.mozilla.org> wrote:
>>> On 16/05/17 02:26, userwithuid wrote:
>>>> After skimming the responses and checking a few CAs, I'm starting to
>>>> wonder: Wouldn't it be easier to just add another mandatory field to
>>>> the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via
>>>> policy and just use that to provide a public list?
>>> Well, such contacts are normally per CA rather than per root. I guess we
>>> could add it on the CA's entry.
>> I’ve been reporting a fair amount of misissuance this week, and the 
>> responses to the Problem Reporting question in the April CA communication 
>> leave a lot to be desired. Several CAs do not have any contact details at 
>> all, and others require filling forms with captchas.
>> I think it’d be very useful if CAs were required maintain a problem 
>> reporting email address and keep it current in the CCADB, this requirement 
>> could go in the Mozilla Root Store policy or the CCADB policy. If they want 
>> to also maintain other modes of contact, they can but no matter what an 
>> email address should be required.
>> Jonathan
> I think that a public point of contact for a certification authority was
> a requirement under Mozilla's policy.  I cannot find such a requirement
> now unless the Baseline Requirements, which are included by reference in
> Mozilla's policy, require it.

Yes, section 4.9.3 of the Baseline Requirements says:

> The CA SHALL provide Subscribers, Relying Parties, Application Software 
> Suppliers, and other third parties with clear instructions for reporting 
> suspected Private Key Compromise, Certificate misuse, or other types of 
> fraud, compromise, misuse, inappropriate conduct, or any other matter related 
> to Certificates. The CA SHALL publicly disclose the instructions through a 
> readily accessible online means.

However, it does not specify that email is required. I’m proposing that Mozilla 
require that one of the methods for reporting be email and that the email 
address be recorded in the CCADB.

dev-security-policy mailing list

Reply via email to