On Sun, Jan 21, 2018 at 2:08 PM David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 1/21/2018 9:50 AM, Ryan Sleevi wrote:
> > I couldn’t find that listed in the CP/CPS as where to report problems.
> > Instead, I see a different email listed.
> >
> > What made you decide to ignore the CP/CPS, which is where CAs list their
> > problem reporting mechanisms?
> >
> > Given that a CA’s CP/CPS applies to their hierarchy and issuance
> practices,
> > not a single certificate, and given that past discussions on this list
> have
> > specifically called out the CP/CPS as the place to determine problem
> > reporting mechanisms, it does seem unreasonable to expect arbitrary
> > reporting mechanisms to get the same attention as the defined mechanisms.
> At the time I tried reporting the problem, I forgot that Google had a
> pending request to add its root to NSS.  When I checked the Certificate
> Manager list of Authorities in my browser, Google did not appear.

I’m not sure I see the relevance of this. Regardless of whether or not a CA
is pending inclusion, there is a defined mechanism for problem reporting,
provided in the CP/CPS. The Mozilla CCADB disclosures lists the applicable

Whatever other criticisms you may make, and I would say this regardless the
CA it affected, you used an adhoc reporting mechanism rather than any
defined problem reporting mechanism, and so the failure to respond to that
points less so to the CA’s failure than the reporters.

In any case, this OCSP problem still makes me question Google's ability
> to manage a certification authority.  As a prior reply in this thread
> indicates, it took two days for Google to even acknowledge there is a
> problem.

This framing continues to adopt your misreporting of the date of report (in
order to beget acknowledgement). I agree that a full incident response is
warranted, but I do find it somewhat surprising that the basis of your
conclusion seems to be, from your previous remarks, predicated on a failure
to acknowledge your non-standard, ad-hoc problem report. I can understand
you may “have questions,” but absent details, and in light of your own
misunderstandings, I am curious whether you are being premature in

> As of right now, it appears the problem has been fixed.  With both
> checkboxes checked under OCSP at [Edit > Preferences > Privacy &
> Security > Certificates], I am now able to reach Google Web sites.
> --
> David E. Ross
> <http://www.rossde.com/>
> President Trump:  Please stop using Twitter.  We need
> to hear your voice and see you talking.  We need to know
> when your message is really your own and not your attorney's.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list

Reply via email to