Hi, On Sun, 21 Jan 2018 12:09:23 -0800 (PST) Ryan Hurst via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> We maintain contact details both within our CPS (like other CAs) and > at https://pki.goog so that people can reach us expeditiously. In the > future if anyone needs to reach us please use those details. I just tried to see what I'd do if I wanted to report issues with Google's CA (assuming I don't know where its webpage lives and assuming I don't know any Googlers to report this directly). When I look into the cert details the certificates for Google webpages are issued by "Google Internet Authority G2" If I goole for that I end up at https://pki.google.com/ This page has a similar style as the pki.goog, but notably it doesn't list any contact info. It has an FAQ, but that doesn't have any question of the form "How do I report a problem with your CA?" The only thing that might be helpful is a pointer to report security incidents. I'd probably have done that, though I would be unsure, as it's debatable whether an offline OCSP counts as a security issue. Meta-comment: I think the whole CA incident reporting question has lots of room for improvement. And I think this should be considered in a way that people who are not familiar with the details of the CA ecosystem can successfully report incidents. I.e. saying "you can find all the contact info in our CPS" is not particularly helpful, as nobody outside a small circle of people knows what that is. I think if people try the "natural" way of contacting a certificate issuing entity this should lead to a successful outcome. (And that is more or less "This has been issued by X, so I try to contact X".) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy