Prior to 2021-08-11, Google Trust Services' CPS (version 3.4, https://pki.goog/repo/cps/3.4/GTS-CPS.pdf) contained the following exception to checking CAA:
"If Google is the DNS Operator (as defined in RFC 7719) of the domain's DNS." This exception was banned by CABF Ballot SC46, which passed on 2021-06-02 and became effective 2021-07-12. However, it was not removed from GTS' CPS until 2021-08-11 (version 4.0, https://pki.goog/repo/cps/4.0/GTS-CPS.pdf), with the changelog note "Updated various sections following full CPS review". https://bugzilla.mozilla.org/show_bug.cgi?id=1706967 describes a similar incident from April of this year - a failure by GTS to update their CPS to reflect BR changes. To "prevent similar issues from happening again", GTS committed to making several changes, including: 1. "Implementing automation that monitors the Baseline Requirements document repository and Mozilla tickets and automatically creates tickets in [GTS'] internal tracking system", scheduled to be implemented by 2021-06-15 (https://bugzilla.mozilla.org/show_bug.cgi?id=1706967#c11) 2. Instituting a weekly meeting (previously bi-weekly) to "ensure continual compliance with the Baseline Requirements", beginning 2021-05-03 (https://bugzilla.mozilla.org/show_bug.cgi?id=1706967#c11). Despite detecting and removing the non-compliant DNS Operator exception during a CPS review, GTS has not filed an incident report about the non-compliance. https://bugzilla.mozilla.org/show_bug.cgi?id=1708516 describes another failure by GTS to file an incident report as well as generally poor compliance practices by GTS (https://bugzilla.mozilla.org/show_bug.cgi?id=1708516#c35). This bug was ultimately closed on 2021-08-25 despite lingering concerns about the adequacy of GTS' response (https://bugzilla.mozilla.org/show_bug.cgi?id=1708516#c53). It would appear from the above that while GTS was assuring the community that their compliance program was improved, they were simultaneously experiencing a recurrent compliance incident which they did not disclose. In light of the above, I have the following questions for GTS: 1. Has Google Trust Services used the DNS Operator exception to skip CAA checking for any certificates issued on or after 2021-07-12? 2. Why did the changes implemented in response to https://bugzilla.mozilla.org/show_bug.cgi?id=1706967 not prevent this incident? 3. Why did GTS not file an incident report when the CPS review led to the non-compliant CAA exception being removed from CPS version 4.0 on 2021-08-11? Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210831102618.fa256f27d7c6633d966b4210%40andrewayer.name.
