On Sun, Jan 21, 2018 at 11:12 AM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 1/21/2018 7:47 AM, Paul Kehrer wrote: > > Is there a known contact to report it (or is someone with a Google hat > > reading this anyway)? > > On Friday (two days ago), I reported this to dns-ad...@google.com, the > only E-mail address in the WhoIs record for google.com. I couldn’t find that listed in the CP/CPS as where to report problems. Instead, I see a different email listed. What made you decide to ignore the CP/CPS, which is where CAs list their problem reporting mechanisms? Given that a CA’s CP/CPS applies to their hierarchy and issuance practices, not a single certificate, and given that past discussions on this list have specifically called out the CP/CPS as the place to determine problem reporting mechanisms, it does seem unreasonable to expect arbitrary reporting mechanisms to get the same attention as the defined mechanisms. > > I received an automated reply indicating that security issues should > instead be reported to secur...@google.com. I immediately resent > (Thunderbird's Edit As New Message) to secur...@google.com. > > I then received an automated reply from secur...@google.com that listed > a variety of Web addresses for reporting various problems. I replied > via E-mail to secur...@google.com: > > Because of the OCSP failure, I am unable to reach any of the google.com > > Web site cited in your reply. > > Yes, I could disable OCSP checking. But I my need for Google is > insufficient for me to browse insecurely. > > By the way, in SeaMonkey 2.49.1 (the latest version) the Google Internet > Authority G2 certificate appears to be an intermediate, signed by the > GeoTrust Global CA root. > > There is a pending request (bug #1325532) from Google to add a Google > root certificate to NSS. Given the inadequacy of Google's current > information on reporting security problems, I have doubts whether this > request should be approved. > > See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>. > > -- > David E. Ross > <http://www.rossde.com/> > > President Trump: Please stop using Twitter. We need > to hear your voice and see you talking. We need to know > when your message is really your own and not your attorney's. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
