+1. CAs should be required to support certificate problem reports sent through 
a specified email address. It simplifies the process a lot if CAs use at least 
one common mechanism.

> On Aug 8, 2017, at 12:22 PM, Jonathan Rudenberg via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
>> On Aug 8, 2017, at 10:36, David E. Ross via dev-security-policy 
>> <dev-security-policy@lists.mozilla.org> wrote:
>> On 8/7/2017 8:09 PM, Jonathan Rudenberg wrote:
>>>> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy 
>>>> <dev-security-policy@lists.mozilla.org> wrote:
>>>> On 16/05/17 02:26, userwithuid wrote:
>>>>> After skimming the responses and checking a few CAs, I'm starting to
>>>>> wonder: Wouldn't it be easier to just add another mandatory field to
>>>>> the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via
>>>>> policy and just use that to provide a public list?
>>>> Well, such contacts are normally per CA rather than per root. I guess we
>>>> could add it on the CA's entry.
>>> I’ve been reporting a fair amount of misissuance this week, and the 
>>> responses to the Problem Reporting question in the April CA communication 
>>> leave a lot to be desired. Several CAs do not have any contact details at 
>>> all, and others require filling forms with captchas.
>>> I think it’d be very useful if CAs were required maintain a problem 
>>> reporting email address and keep it current in the CCADB, this requirement 
>>> could go in the Mozilla Root Store policy or the CCADB policy. If they want 
>>> to also maintain other modes of contact, they can but no matter what an 
>>> email address should be required.
>>> Jonathan
>> I think that a public point of contact for a certification authority was
>> a requirement under Mozilla's policy.  I cannot find such a requirement
>> now unless the Baseline Requirements, which are included by reference in
>> Mozilla's policy, require it.
> Yes, section 4.9.3 of the Baseline Requirements says:
>> The CA SHALL provide Subscribers, Relying Parties, Application Software 
>> Suppliers, and other third parties with clear instructions for reporting 
>> suspected Private Key Compromise, Certificate misuse, or other types of 
>> fraud, compromise, misuse, inappropriate conduct, or any other matter 
>> related to Certificates. The CA SHALL publicly disclose the instructions 
>> through a readily accessible online means.
> However, it does not specify that email is required. I’m proposing that 
> Mozilla require that one of the methods for reporting be email and that the 
> email address be recorded in the CCADB.
> Jonathan
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list

Reply via email to