Could we add a section for geographical incidents? This is slightly outside your time window, but I think reading the series here has some uncanny echos in the ones in your window.
https://bugzilla.mozilla.org/show_bug.cgi?id=1658792 https://bugzilla.mozilla.org/show_bug.cgi?id=1658794 https://bugzilla.mozilla.org/show_bug.cgi?id=1802916 https://bugzilla.mozilla.org/show_bug.cgi?id=1804753 https://bugzilla.mozilla.org/show_bug.cgi?id=1867130 On Tue, May 7, 2024 at 7:59 AM 'Ben Wilson' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > > Dear Mozilla Community, > > Over the past couple of months, a substantial number of compliance incidents > have arisen in relation to Entrust. We have summarized these recent incidents > in a dedicated wiki page: https://wiki.mozilla.org/CA/Entrust_Issues. In > brief, these incidents arose out of certificate mis-issuance due to a > misunderstanding of the EV Guidelines, followed by numerous mistakes in > incident handling (including a deliberate decision to continue mis-issuance), > which have been compounded by a failure to remediate the issues in a timely > fashion in line with well-established norms and root store requirements. > > Our preliminary assessment of these incidents is that while they were > relatively minor initially, the poor incident response has substantially > aggravated them and the progress towards full remediation remains > unacceptably slow. This is particularly disappointing in light of previous > incidents in 2020 (#1651481 and #1648472), which arose out of similar > misunderstandings of the requirements, similar poor decision-making in the > initial response, and lengthy remediation periods that fell well below > expectations. Entrust gave commitments in those bugs to address the root > problems through process improvements, and it is concerning to see so little > improvement 4 years later. > > In light of these recent incidents, we are requesting that Entrust produce a > detailed report of them. This report should cover in detail: > > The factors and root causes that lead to the initial incidents, highlighting > commonalities among the incidents and any systemic failures; > > Entrust’s initial incident handling and decision-making in response to these > incidents, including any internal policies or protocols used by Entrust to > guide their response and an evaluation of whether their decisions and overall > response complied with Entrust’s policies, their practice statement, and the > requirements of the Mozilla Root Program; > > A detailed timeline of the remediation process and an apportionment of delays > to root causes; and > > An evaluation of how these recent issues compare to the historical issues > referenced above and Entrust’s compliance with its previously stated > commitments. > > Finally, Entrust’s report should include a detailed proposal on how it plans > to address the root causes of these issues. In light of previous guarantees > given by Entrust in 2020 to ensure speedy remediation in future incidents, > this proposal should include: > > Clear and concrete steps that Entrust proposes to take to address the root > causes of these incidents and delayed remediation; > > Measurable and objective criteria for Mozilla and the community to evaluate > Entrust’s progress in deploying these solutions; and > > A timeline for which Entrust will commit to meeting these criteria. > > We strongly recommend that Entrust go beyond their existing commitment to > offer systematic, automated solutions for effective remediation, like ACME > ARI and that it also include clear and measurable targets for the adoption of > these tools by new and existing subscribers. > > This report should be submitted to Mozilla dev-security-policy mailing list > for evaluation by the community and Mozilla, who will weigh whether Entrust’s > report presents a credible and effective path towards re-establishing trust > in Entrust’s operation. Submission should be no later than June 7, 2024. > > We thank community members for their engagement on these issues and look > forward to their feedback on Entrust’s report and proposed commitments. > > Thanks, > > Ben Wilson > > Mozilla Root Program > > -- > You received this message because you are subscribed to the Google Groups > "dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYURqFzRqVmJdc7fBXE1mbGs25HpSkp5wZ0Xm%2BRG0YHCA%40mail.gmail.com. -- Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck_4Lk%2BCz4uLYkV7n8L2rkREtgOPxn5firk1DAay_rNKg%40mail.gmail.com.