Hi Andrew,
Thank you for the questions and checking on details. We removed the option to use the DNS operator exception from our secondary CA platform on 2021-05-13 (60 days before the ballot changes went into effect, see timeline below). Our primary CA platform has never used it. In May, we conducted our annual CPS review and prepared several updates including the one that removed the exception from Section 4.2.4. It was not published earlier because the update was bundled together with other changes in one revision. We did not file an incident because removal of the DNS operator exception was identified and acted upon well ahead of the deadline. The CPS update was also started before SC46 became effective. We regret it was not published prior to the effective date. *Timeline*2021-04-29 - Engineers are made aware of need to remove the operator exception 2021-05-04 - Code changes removing the exception from CA systems where it was allowed are proposed 2021-05-05 - CPS edits are proposed to remove the DNS Operator exception as required by SC46 2021-05-13 - Code change becomes effective and use of the operator exception is technically restricted by all of our systems 2021-07-12 - SC46 becomes effective 2021-08-11 - The GTS CPS covering removal of the operator exception is publicly published Brett L Google Trust Services On Tuesday, August 31, 2021 at 10:26:21 AM UTC-4 Andrew Ayer wrote: > Prior to 2021-08-11, Google Trust Services' CPS (version 3.4, > https://pki.goog/repo/cps/3.4/GTS-CPS.pdf) contained the following > exception to checking CAA: > > "If Google is the DNS Operator (as defined in RFC 7719) of the domain's > DNS." > > This exception was banned by CABF Ballot SC46, which passed > on 2021-06-02 and became effective 2021-07-12. However, it > was not removed from GTS' CPS until 2021-08-11 (version 4.0, > https://pki.goog/repo/cps/4.0/GTS-CPS.pdf), with the changelog note > "Updated various sections following full CPS review". > > https://bugzilla.mozilla.org/show_bug.cgi?id=1706967 describes a similar > incident from April of this year - a failure by GTS to update their CPS > to reflect BR changes. To "prevent similar issues from happening again", > GTS committed to making several changes, including: > > 1. "Implementing automation that monitors the Baseline Requirements > document repository and Mozilla tickets and automatically creates tickets > in [GTS'] internal tracking system", scheduled to be implemented by > 2021-06-15 (https://bugzilla.mozilla.org/show_bug.cgi?id=1706967#c11) > > 2. Instituting a weekly meeting (previously bi-weekly) to "ensure > continual compliance with the Baseline Requirements", beginning 2021-05-03 > (https://bugzilla.mozilla.org/show_bug.cgi?id=1706967#c11). > > Despite detecting and removing the non-compliant DNS Operator exception > during a CPS review, GTS has not filed an incident report about the > non-compliance. https://bugzilla.mozilla.org/show_bug.cgi?id=1708516 > describes another failure by GTS to file an incident report > as well as generally poor compliance practices by GTS > (https://bugzilla.mozilla.org/show_bug.cgi?id=1708516#c35). > This bug was ultimately closed on 2021-08-25 despite > lingering concerns about the adequacy of GTS' response > (https://bugzilla.mozilla.org/show_bug.cgi?id=1708516#c53). > > It would appear from the above that while GTS was assuring the community > that their compliance program was improved, they were simultaneously > experiencing a recurrent compliance incident which they did not disclose. > > In light of the above, I have the following questions for GTS: > > 1. Has Google Trust Services used the DNS Operator exception to skip > CAA checking for any certificates issued on or after 2021-07-12? > > 2. Why did the changes implemented in response to > https://bugzilla.mozilla.org/show_bug.cgi?id=1706967 not prevent > this incident? > > 3. Why did GTS not file an incident report when the CPS review led > to the non-compliant CAA exception being removed from CPS version 4.0 > on 2021-08-11? > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/14e71bc5-7fb6-4fff-a003-69be3e01b1ccn%40mozilla.org.
