I'm either confused, or I disagree. We're talking about a certificate that deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents [1] defines misissuance, in part, as "RFC non-compliant". The certificate as described strictly complies with RFC 5280 (and presumably all other policies). In this circumstance, I do not expect an incident report.
Having said that, I would be pleased if a CA voluntarily published an incident report explaining how the mistake happened and steps taken to learn and improve. That level of transparency would be seen as a positive rather than a mark against the CA. - Wayne [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident On Wed, Apr 10, 2019 at 2:28 AM Matt Palmer via dev-security-policy < [email protected]> wrote: > On Wed, Apr 10, 2019 at 08:55:27AM +0200, Lijun Liao via > dev-security-policy wrote: > > Let us consider the case that the CA unsets the critical flag > unintendedly, > > e.g. using the default configuration. Which means there are no explizit > > reasons. Is it required that the CA to create an incident report to > mozilla? > > My expectation would be "yes", as the CA has failed to adhere to RFC5280. > > - Matt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
