On Sun, Jan 21, 2018 at 2:08 PM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > > I couldn’t find that listed in the CP/CPS as where to report problems. > > Instead, I see a different email listed. > > > > What made you decide to ignore the CP/CPS, which is where CAs list their > > problem reporting mechanisms? > > > > Given that a CA’s CP/CPS applies to their hierarchy and issuance > practices, > > not a single certificate, and given that past discussions on this list > have > > specifically called out the CP/CPS as the place to determine problem > > reporting mechanisms, it does seem unreasonable to expect arbitrary > > reporting mechanisms to get the same attention as the defined mechanisms. > > At the time I tried reporting the problem, I forgot that Google had a > pending request to add its root to NSS. When I checked the Certificate > Manager list of Authorities in my browser, Google did not appear. I’m not sure I see the relevance of this. Regardless of whether or not a CA is pending inclusion, there is a defined mechanism for problem reporting, provided in the CP/CPS. The Mozilla CCADB disclosures lists the applicable CP/CPS. Whatever other criticisms you may make, and I would say this regardless the CA it affected, you used an adhoc reporting mechanism rather than any defined problem reporting mechanism, and so the failure to respond to that points less so to the CA’s failure than the reporters. In any case, this OCSP problem still makes me question Google's ability > to manage a certification authority. As a prior reply in this thread > indicates, it took two days for Google to even acknowledge there is a > problem. This framing continues to adopt your misreporting of the date of report (in order to beget acknowledgement). I agree that a full incident response is warranted, but I do find it somewhat surprising that the basis of your conclusion seems to be, from your previous remarks, predicated on a failure to acknowledge your non-standard, ad-hoc problem report. I can understand you may “have questions,” but absent details, and in light of your own misunderstandings, I am curious whether you are being premature in judgement? > > As of right now, it appears the problem has been fixed. With both > checkboxes checked under OCSP at [Edit > Preferences > Privacy & > Security > Certificates], I am now able to reach Google Web sites. > > -- > David E. Ross > <http://www.rossde.com/> > > President Trump: Please stop using Twitter. We need > to hear your voice and see you talking. We need to know > when your message is really your own and not your attorney's. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
