See responses inline below. On Tue, Jan 25, 2022 at 10:47 PM Ryan Sleevi <[email protected]> wrote:
> Hi Ben, > > Maybe I’m misunderstanding, but I’m not sure I understand how this > proposal relates to the issue that was filed? > Part of the issue was to set "policy for the expected actions that will occur when Mozilla receives an audit containing serious qualifications." We can also work on wiki pages that dive into greater detail on the mechanics of the dealing with qualifications in audits. Also, Issue 150 <https://github.com/mozilla/pkipolicy/issues/150> was rolled into this work. > > As my comment on the issue at the time tried to capture, the scenario on > the bug was about the expectations for CAs when they receive qualified > audits, and how that may be treated. > I believed that in response to this, we need to make clearer that qualifications in audits are "incidents," which need to be tracked in Bugzilla through to remediation. I think that many CAs have understood that this has already been the practice for several years, as evidenced by the incidents filed by CAs in Bugzilla, but again, we needed to make sure that it was stated in policy. > However, your new proposal seems to suggest that Mozilla doesn’t normally > require CAs to follow the BRs, or the prescribed actions of the BRs, except > in rare circumstances. That is, several of the MAY actions here are MUSTs > in the BRs. > There was no intention to imply that compliance is discretionary. The proposed "MAYs" indicate that Mozilla has a variety of measures that it can take. ("MUSTs" in the BRs apply to CAs.) > > Have I misunderstood the original issue that is filed? Or is this language > perhaps tackling something different? I would be worried if this language > was adopted as-is, as is seems mostly to lower expectations. > One theme in the Github discussion of this issue is the flexibility and discretion that Mozilla has to sanction CAs. This was not meant to imply that Mozilla would be "soft" on CAs. It should be read to imply that Mozilla may just as equally impose severe sanctions, like root removal. If there is concern that this language might "tie" Mozilla's hands because CAs might have a claim to "due process", then maybe the language should be edited. > > Is there any circumstance where any of the MAYs not already MUSTs in the > BRs wouldn’t be appropriate? Is it necessary to even enumerate the actions > Mozilla may take, for those that are optional, versus addressing them as > they arise (e.g. in incident reports)? > I'm inviting comments and suggestions on improving the language. > > Like I said, I’m very confused here about the goals of this change, as > proposed. > > On Tue, Jan 25, 2022 at 10:25 PM Ben Wilson <[email protected]> wrote: > >> Here is some draft language to address this issue #155. >> >> >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/a0457df0f17177844e416e04ba5a4897db41ac5a >> >> >> It adds a sentence to section 2.4 ("A "qualification" in a WebTrust >> audit or a "finding of non-conformity" in an ETSI assessment is also an >> incident.") and a new section 2.5 titled "Sanctions": >> >> Mozilla MAY require revocation of those leaf certificates or intermediate >> certificates that suffered or that are considered defective because of the >> incident. Mozilla expects the timely remediation of the problems that >> caused or gave rise to the incident. Mozilla MAY require the CA operator to >> submit a plan of action with milestones or additional audits to ensure >> remediation and to regain confidence in the CA operator. Multiple incidents >> with the same underlying cause, however minor, may lead to sanctions. If a >> CA operator has failed to remediate the causes giving rise to an incident, >> Mozilla MAY impose sanctions, including but not limited to: adding >> certificates to OneCRL; removing trust bits from root certificates; and >> removing root certificates from the trust store. >> >> >> >> >> On Sun, Jan 16, 2022 at 5:50 PM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> This email introduces discussion of GitHub Issue #155 >>> <https://github.com/mozilla/pkipolicy/issues/155> - Describe actions >>> Mozilla may take upon receipt of a qualified audit. The list below includes >>> enforcement actions that Mozilla might take for any set of non-compliance >>> events (not just serious issues discovered from a qualified audit). We >>> also need to remain flexible with the actions to be taken, based on the >>> circumstances. >>> >>> - Require revocation of leaf certificates >>> - Require revocation of Intermediate CAs >>> - Intermediate CA(s) added to One CRL >>> - Bugzilla Incident Reporting (Weekly) >>> - Point-in-Time audits to show that underlying issues have been fixed >>> - Plan of Action and Milestones (with monthly status reports) >>> - 60-day Period-of-Time Audits >>> - Detailed-controls audit reports >>> - Websites trust bit removal >>> - Root Removal >>> >>> See also >>> https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Recurring_Issues >>> >>> Also, where in the MRSP should we put this new material -- as a new >>> Section 3.1.5 under Section 3.1 "Audits"; as new section 7.4 under 7; as a >>> new subsection that is part of Section 7.3 (Removals); or as new section >>> 2.5 after 2.4 (Incidents)? >>> >>> Thoughts and suggestions? >>> >>> Thanks, >>> >>> Ben >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYqmEEx6Oz9Xk3QdoPB6mEnvwowGj5vdszPLG2tCpwGBQ%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYqmEEx6Oz9Xk3QdoPB6mEnvwowGj5vdszPLG2tCpwGBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaajJky8TWG2L15PJOx%3DEXD9wTnYNeaQgv7MA0zCr8i9Cg%40mail.gmail.com.
