On Sun, Jan 21, 2018 at 11:12 AM David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 1/21/2018 7:47 AM, Paul Kehrer wrote:
> > Is there a known contact to report it (or is someone with a Google hat
> > reading this anyway)?
> On Friday (two days ago), I reported this to dns-ad...@google.com, the
> only E-mail address in the WhoIs record for google.com.

I couldn’t find that listed in the CP/CPS as where to report problems.
Instead, I see a different email listed.

What made you decide to ignore the CP/CPS, which is where CAs list their
problem reporting mechanisms?

Given that a CA’s CP/CPS applies to their hierarchy and issuance practices,
not a single certificate, and given that past discussions on this list have
specifically called out the CP/CPS as the place to determine problem
reporting mechanisms, it does seem unreasonable to expect arbitrary
reporting mechanisms to get the same attention as the defined mechanisms.

> I received an automated reply indicating that security issues should
> instead be reported to secur...@google.com. I immediately resent
> (Thunderbird's Edit As New Message) to secur...@google.com.
> I then received an automated reply from secur...@google.com that listed
> a variety of Web addresses for reporting various problems.  I replied
> via E-mail to secur...@google.com:
> > Because of the OCSP failure, I am unable to reach any of the google.com
> > Web site cited in your reply.
> Yes, I could disable OCSP checking.  But I my need for Google is
> insufficient for me to browse insecurely.
> By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet
> Authority G2 certificate appears to be an intermediate, signed by the
> GeoTrust Global CA root.
> There is a pending request (bug #1325532) from Google to add a Google
> root certificate to NSS.  Given the inadequacy of Google's current
> information on reporting security problems, I have doubts whether this
> request should be approved.
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>.
> --
> David E. Ross
> <http://www.rossde.com/>
> President Trump:  Please stop using Twitter.  We need
> to hear your voice and see you talking.  We need to know
> when your message is really your own and not your attorney's.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list

Reply via email to