On Tue, Oct 8, 2019 at 8:16 PM Jeremy Rowley <[email protected]> wrote:
> I think requiring publication of profiles for certs is a good idea. It’s > part of what I’ve wanted to publish as part of our CPS. You can see most of > our profiles here: > https://content.digicert.com/wp-content/uploads/2019/07/Digicert-Certificate-Profiles.pdf, > but it doesn’t include ICAs right now. That was an oversight that we should > fix. > FWIW, if you want inspiration for your updates, I'm super enamored with the following CP/CPSes and their approach to disclosure: - Izenpe: http://www.izenpe.eus/contenidos/informacion/doc_especifica/en_def/adjuntos/Certificates_Profile.pdf - SwissSign: http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf (See 7.1) - Sectigo: https://sectigo.com/uploads/files/Sectigo-CPS-v5.1.5.pdf (see Appendix C) > Publication of profiles probably won’t prevent issues related to > engineering snafu’s or more manual procedures. However, publication may > eliminate a lot of the disagreement on BR/Mozilla policy wording. That’s a > lot more work though for the policy owners so the community would probably > need to be more actively involved in reviewing profiles. Requiring > publication at least gives the public a chance to review the information, > which may not exist today. > > > > The manual component definitely introduces a lot of risk in sub CA > creation, and the explanation I gave is broader than renewals. It’s more > about the risks currently associated with Sub CAs. The difference between > renewal and new issuance doesn’t exist at DigiCert – we got caught on that > issue a long time ago. > Right, I don't discount that manual issuance is hard. For example, 100% of Amazon Trust Service's incidents have been related to manual issuance, and not necessarily sub-CAs ( https://bugzilla.mozilla.org/show_bug.cgi?id=1569266 , https://bugzilla.mozilla.org/show_bug.cgi?id=1574594 , https://bugzilla.mozilla.org/show_bug.cgi?id=1525710 ). I highlight this, because Amazon has generally been extremely on-the-ball in tooling and infrastructure to detect issues (e.g. certlint), and yet were still bitten by when it gets to manual issues. Yet, going back to the original problem: do we believe that the CA communications are sufficient to raise awareness such that when a CA is implementing a manual review process, they'll implement it correctly? If we don't, then what we can do to improve. If we do, then what should we do when CAs drop the ball? > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
