On Tue, Aug 15, 2017 at 3:37 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I do *NOT* necessarily expect the CAs to revoke all of these certificates. > I expect the CAs to do a careful analysis of the situation and > determine/explain whether or not they will revoke the certs or let the > expire. If the choice is to let them expire, there needs to be good reasons > and a timeline for when the bulks of certs will expire. We (Mozilla > community) will evaluate such information and provide constructive > feedback, and I or Gerv will add a comment in the bug to confirm if the > plan (when not revoking) is acceptable, or to state if we/Mozilla will > require revocation. >
The requirement for revocation comes from the Baseline Requirements. Could you clarify your expectations regarding CAs' violation of the Baseline Requirements with respect to these issues and Section 4.9.1.1. That is: 1) Do you expect a qualified audit report for any CA that has failed to revoke within 24 hours? (I would suggest Mozilla should expect that, but that's not explicitly stated, and other programs may already expect/require this) 2) Are you suggesting you will, in evaluating such a qualified report, take into consideration the explanations CAs provide, and the determination of whether or not such a qualified report will be acceptable shall be communicated in the bug? (I think that's a correct analysis of your proposal, but want to confirm) 3) Do you have a plan for CAs that (1) fail to respond (2) fail to respond in a timely fashion (3) fail to respond to a level of detail sufficient to determine whether or not it's a 'good' reason). I would note that any CA which does not or has not promptly revoked these within 24 hours of contact should, at a minimum, contact all root programs that they participate in to acknowledge this non-compliance and discuss what expectations other, non-Mozilla Root Programs have with respect to these certificates. Similarly, if such programs have requirements around "Security Incident Reporting," that CAs are timely in such reports. Given that these are a requirement in the Baseline Requirements, it is up to each CA to work with their auditor (and supervisory body, as appropriate) and the root store(s) they participate in to ensure their analysis of the risk and plan of remediation is acceptable. Is that a correct summary of the situation? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy