I was trying to use AI to analyze CPS docs to see where interesting information might be. I've only looked at three different CAs so far, but figured I'd share the results:
Sectigo – 70% of the CPS is nearly identical to the BRs. The primary variation is in section 9 and the use of a reseller network. Sectigo does not use: - Method 3.2.2.4.12 (Validating Applicant as Domain Contact) - Method 3.2.2.4.21 (DNS Labeled with Account ID - ACME) DigiCert – about 80% overlap in language with the BRs. The primary differences are that the DigiCert CPS covers public trust (not just TLS) and the legal section. Digicert does not use: 1) Method 3.2.2.4.20 - TLS Using ALPN 2) Method 3.2.2.4.21 - DNS Labeled with Account ID - ACME Comparing the two CPS docs together, the AI found they were about 85% similar on TLS. Excluding the business sections (section 1 and section 9), the CPS docs are 95% similar. Let's Encrypt has about a 77% overlap with both DigiCert and Sectigo. The major differences in the LE CPS are: 1) Business terms and the lack of OV certificates 2) Automation requirements for issuing certificates 3) No language around the use of RAs (because LE doesn't use RAs) 82% of all documentation is about how the CA matches the BRs. This is, of course, subject to some interpretation by the AI used and I haven't reviewed it in full. All CPS docs provide value in that they list the CPR, the CAA records used, and the BR methods permitted for validation. Is there a CPS I can look at that provides substantial additional information beyond the BRs? On Mon, Jun 16, 2025 at 5:58 PM Jeremy Rowley <rowley...@gmail.com> wrote: > Good question. I went through the last year of bugs and found the ones > listed below. Determining what is a CPS violation vs. a BR violation is > difficult because so many BR violations are also a CPS violation (as a lot > of CPS documents mirror the BRs). I split it up between profile errors (at > the bottom) and CPS related issues (at the top), both of which would be > solved by automated CPS generation and a shift to treat the CPS document as > a technical disclosure instead of a contract. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list the > full revocation reasons in its CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about T&Cs > but since the T&Cs generally incorporate the CPS I thought I'd count it? > https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the CPS > and the BRs > https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting info > in the CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on > T&Cs (which would incorporate the CPS) > https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity issues > https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS unavailability > https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not > working > https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy document > mis-paste > https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not > compliant with CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in > violation of CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not published > in time. This violated the BRs but would also violate the CPS if such items > were actually dictated by the CPS instead of just the BRs. > https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not > accepting attachments > https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated the > ETSI requirement but not the BRs I think? Which would make it a CPS > violation. > https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to update > CPS docs (note that the proposal would help remediate this by requiring > automatic updates to CPS docs as things change). > https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of CPS > on OCSP responses > https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of CAA > checking > https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of > onboarding SOP > https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP > provided > https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN > https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity > not permitted in CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure > issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR > address > > > I'm listing the profiles issues as well as the proposal would address this > issue, or at least make these issues more readily identifiable. If CAs are > required to provide the profile directly from the CA, the profile can > easily be compared to the BRs and issues identified. Right now the profile > may not match the CPS so the CPS will be compliant but the profile will not > match the requirements. > Profiles mismatch: > https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct > https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert > policies > https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA > https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in certs > https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format > issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect encoding > https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies > extension issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate attribute > https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect profile > https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP > https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities listed > > > On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <mike.sha...@gmail.com> wrote: > >> On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <rowley...@gmail.com> >> wrote: >> >>> Given the number of bugs related to CPS errors, >>> >> >> Perhaps you’re in a position to answer this question: how many bugs >> *have* there been in the last few years related to CPS errors, and how many >> certs have been subject to revocation for that reason, pre-Microsoft? >> >> Mike >> >> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS-C_yJKjmP%3DnBjSDgzU%3Da%2BLXt%3D3c%2BhOVFEtXZqrOhEDiA%40mail.gmail.com.
