All, In an incident report recently, there was discussion about the right way to report the certificates involved in the incident. See https://bugzilla.mozilla.org/show_bug.cgi?id=1736064
In section 5 of https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report, it currently says, "5. In a case involving TLS server certificates, the complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or *crt.sh IDs*, either in the report or as an attached spreadsheet, with one list per distinct problem." We are thinking of removing the reference to the "crt.sh ID" and clarifying the instructions on providing the certificate fingerprints. Instead of the crt.sh database ID, for instance, crt.sh currently supports a lookup based on the SHA256 hash (https://crt.sh/?q=[sha256 hash]). Should it instead say, "The recommended way to provide this is to ensure each certificate is logged to CT and then list the crt.sh fingerprint URL for each certificate in the format 'https://crt.sh/?q=[sha256 hash]', ...."? Should the SHA1 fingerprint also be allowed? What is the preferred method, and which other alternatives should be allowed for unambiguously reporting / locating the certificates or their "complete certificate data"? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY5t3yMs2bVoGy-F%3D2_Tph__G%2BfLARXD3TxBZ7MJK97sw%40mail.gmail.com.
