On Tue, Mar 5, 2019 at 1:47 PM Ryan Hurst via dev-security-policy < [email protected]> wrote:
> Dear m.d.s.p, > > We wanted to follow-up to this thread and give an update. > > We have decided to replace and revoke the certificates with 63 bit serial > numbers, so far we have finished about 95% of the affected certificates. > > We are actively working with the remaining subscribers to replace their > certificates as soon as possible without creating a service disruption. We > have made the decision to work with subscribers to enable a smooth > transition prior to revocation since the issue in question does not reflect > a material security issue. > > We will share more information as we have it and will publish a complete > post mortem once the associated response is complete. > Ryan, Please review the recently updated [1] guidance regarding revocation and incident response [2]. Unfortunately, I don't think messages like this meet the bar of expectations, which were recently discussed at length regarding DigiCert and underscore characters [3]. The consequence of this is to highlight that CAs making statements that the matter "does not reflect a material security issue" is not a sufficient or accepted reply. If my understanding is correct, and that we are approaching or have passed the 5 day mark at which Google Trust Services was made aware of this, then the appropriate next step is to file an incident report, thus making the total matter two incident reports - one incident report regarding the serial entropy, for which your initial message begins evaluating, and another for a failure to revoke according to the BR allotted timeframe. If I've misunderstood the timing, then this may simply serve as a reminder about the level of expectations regarding revocation and BR violations. However, based on this and your previous reply, it does sound that this represents an incident regarding the failure to revoke 5% of those certificates, and an incident report is expected regarding that, including the timeline and plans for remediation. This helps ensure a consistent evaluation regarding the risks, as the CA represents them, and helps demonstrates CA's clear and hard commitments regarding remediation timing. Please also note that, as per [2], CAs are encouraged to file an incident report much sooner. On the particular topic of revocation, CAs are encouraged to file a report "immediately", preferably before the BR-mandated deadline has been exceeded. You may then provide additional details and investigation notes, as information becomes available and as questions are raised. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/HdirGOy6TJI/oIHKXeSuCAAJ [2] https://wiki.mozilla.org/CA/Responding_To_An_Incident [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/0oy4uTEVnus/pnywuWbmBwAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
