See BR 1.5.2.  CAs are already required to have contact information in their 

-----Original Message-----
From: dev-security-policy 
On Behalf Of David E. Ross via dev-security-policy
Sent: Tuesday, August 8, 2017 10:37 AM
Subject: Re: CA Problem Reporting Mechanisms

On 8/7/2017 8:09 PM, Jonathan Rudenberg wrote:
>> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy 
>> <> wrote:
>> On 16/05/17 02:26, userwithuid wrote:
>>> After skimming the responses and checking a few CAs, I'm starting to
>>> wonder: Wouldn't it be easier to just add another mandatory field to 
>>> the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via 
>>> policy and just use that to provide a public list?
>> Well, such contacts are normally per CA rather than per root. I guess 
>> we could add it on the CA's entry.
> I've been reporting a fair amount of misissuance this week, and the responses 
> to the Problem Reporting question in the April CA communication leave a lot 
> to be desired. Several CAs do not have any contact details at all, and others 
> require filling forms with captchas.
> I think it'd be very useful if CAs were required maintain a problem reporting 
> email address and keep it current in the CCADB, this requirement could go in 
> the Mozilla Root Store policy or the CCADB policy. If they want to also 
> maintain other modes of contact, they can but no matter what an email address 
> should be required.
> Jonathan

I think that a public point of contact for a certification authority was a 
requirement under Mozilla's policy.  I cannot find such a requirement now 
unless the Baseline Requirements, which are included by reference in Mozilla's 
policy, require it.

David E. Ross

President Trump demands loyalty to himself from Republican members of Congress. 
 I always thought that members of Congress -- House and Senate -- were required 
to be loyal to the people of the United States.  In any case, they all swore an 
oath of office to be loyal to the Constitution.
dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to