Hi Rob, This incident is a valuable example for the ecosystem of the steps that may be necessary for a CA to take when approaching compliance and incidents comprehensively, especially when incidents spiral or cascade into the discovery of more underlying or systemic issues than at first appearance. I would absolutely encourage other CAs to share (and continue sharing) similar information, as we see SSL.com working on with their reseller interactions or when Amazon provided a presentation at a recent CA/B Forum F2F. Even if the events from which CAs learned a great deal or which heavily impacted their ability to successfully comply with industry expectations and requirements are in the distant past, such retrospective analyses can be incredibly valuable no matter their timing.
I similarly support disclosing such "lessons learned" in Bugzilla and having a tag dedicated thereto seems appropriate -- especially if this becomes more common for CAs to do. Alternatively, if Mozilla would prefer organizing these in some other way, I'm not opposed; the goal here is discoverability and there are likely any number of ways to succeed in that goal. Cheers! -Clint On Wednesday, May 22, 2024 at 12:25:12 PM UTC-7 Rob Stradling wrote: > A few years ago, Sectigo created > https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share > information about our "Guard Rails" project. Quoting that bug: > *“Guard Rails” is a convenient name for a series of programmatic checks we > are putting in place to confirm certificate orders for compliance with > specific requirements before issuance can occur. Guard Rails are like > Certificate Lints, except that they may be stricter than what CA/B Forum > and root program policies require. By defining and adding these checks, we > can eliminate potential sources of misissuance and achieve higher overall > issuance quality. This initiative is borne in part from the understanding > that human-based processes are fundamentally error prone, and to the degree > we can implement defined machine processes, our error rate will go down.* > > We took steps <https://bugzilla.mozilla.org/show_bug.cgi?id=1724476#c1> > (comment > #1) to avoid this bug being seen as an "incident" bug: > *Since this bug is intended to be a repository for information and > discussion rather than a response to any particular CA Compliance incident, > I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not > putting [ca-compliance] in the Whiteboard field. We chose to deviate from > the "<CA Name>: <Incident Summary>" bug title format for the same reason.* > > However, at some point since then somebody decided to add the > "[ca-compliance]" whiteboard tag, which seems problematic to us. > > In order to clearly identify this type of information sharing "bug", and > even to encourage other CAs to consider doing likewise, we would like to > propose a new whiteboard tag: > > [ca-infosharing] > > -- > Rob Stradling > Distinguished Engineer > Sectigo Limited > > > > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org.
