The risk is primarily outages of major sites across the web, including certs used in Google wallet. We’re thinking that is a less than desirable result, but we weren’t sure how the Mozilla community would feel/react. We’re still considering revoking all of the certs on Jan 15th based on these discussions. I don’t think we’re asking for leniency (maybe we are if that’s a factor?), but I don’t know what happens if you’re faced with causing outages vs. compliance. I started the conversation because I feel like we should be good netizans and make people aware of what’s going on instead of just following policy. I’m actually surprised at least one other CA that has issued a large number of underscore character certs hasn’t run into the same timing issues.
Normally, we would just revoke the certs, but there are a significant number of certs in the Alexa top 100. We’ve told most customers, “No exception”. I also thought it’s better to get the information out there so we can all make rational decisions (DigiCert included) if as many facts are known as possible. We are working with the partners to get the certs revoked before the deadline. Most will. By January 15th, I hope there won’t be too many certs left. Unfortunately, by then it’s also too late to discuss what happens if the cert is not revoked. Ie – what are the benefits of revoking (strict compliance) vs revoking the larger impact certs as they are migrated (incident report). Unfortunately part 2, there’s no guidance on whether an incident report means total distrust v. something on your audit and a stern lecture. I’d happily suffer a lecture than take down a top site. Not so willing to gamble the whole company. This is why we wanted to have the discussion now, despite no violation so far. The response from the browsers is public - that they cannot make that determination. Does that mean we have our answer? Revoke is the only acceptable response? From: James Burton <j...@0.me.uk> Sent: Thursday, December 27, 2018 2:24 PM To: Ryan Sleevi <r...@sleevi.com> Cc: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Underscore characters On Thu, Dec 27, 2018 at 9:00 PM Ryan Sleevi <r...@sleevi.com <mailto:r...@sleevi.com> > wrote: I'm not really sure I understand this response at all. I'm hoping you can clarify. On Thu, Dec 27, 2018 at 3:45 PM James Burton <j...@0.me.uk <mailto:j...@0.me.uk> > wrote: For a CA to intentionally state that they are going to violate the BR requirements means that that CA is under immense pressure to comply with demands or face retribution. I'm not sure I understand how this flows. Comply with whose demands? Face retribution from who, and why? The CA must be under immense pressure to comply with demands from certain customers to determine that they don't have much of a choice but to intentionally violate the BR requirements and by telling community and root stores early they are hoping for leniency. The retribution by them customers could be legal which is outside of this forum but is but it's still relevant to them if that is the case. The severity inflicted on a CA by intentionally violating the BR requirements can be severe. Rolling a dice of chance. Why take the risk? I'm not sure I understand the question at the end, and suspect there's a point to the question I'm missing. The CA is rolling the dice of chance, they are intentionally risking everything by violating the BR requirements and they know that such action can face sanctions or distrust in the wrong case. The question I asked is why are they taking the risk which leads from the first statement. Presumably, a CA stating they're going to violate the BR requirements, knowing the risk to trust that it may pose, would have done everything possible to gather every piece of information so that they could assess the risk of violation is outweighed by whatever other risks (in this case, revocation). If that's the case, is it unreasonable to ask how the CA determined that - which is the root cause analysis question? And how to mitigate whatever other risk (in this case, revocation) poses going forward, so that violating the BRs isn't consistently seen as the "best" option?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy