Hi Clint and Rob, This is relatively easy to implement, and we can start immediately by just adding [ca-infosharing] in the whiteboard. I've added it to the Mozilla CA Program wiki - https://wiki.mozilla.org/CA/Bug_Triage#Whiteboard_Tags ("For non-incident "lessons learned" and other descriptions of comprehensive steps a CA might take when addressing compliance, or cascading incidents, or to share its compliance-related experiences for the benefit of the ecosystem"), and I'll get this added somewhere on the CCADB website. Thanks, Ben
On Wed, May 22, 2024 at 4:18 PM 'Clint Wilson' via CCADB Public < [email protected]> wrote: > Hi Rob, > > This incident is a valuable example for the ecosystem of the steps that > may be necessary for a CA to take when approaching compliance and incidents > comprehensively, especially when incidents spiral or cascade into the > discovery of more underlying or systemic issues than at first appearance. I > would absolutely encourage other CAs to share (and continue sharing) > similar information, as we see SSL.com working on with their reseller > interactions or when Amazon provided a presentation at a recent CA/B Forum > F2F. Even if the events from which CAs learned a great deal or which > heavily impacted their ability to successfully comply with industry > expectations and requirements are in the distant past, such retrospective > analyses can be incredibly valuable no matter their timing. > > I similarly support disclosing such "lessons learned" in Bugzilla and > having a tag dedicated thereto seems appropriate -- especially if this > becomes more common for CAs to do. Alternatively, if Mozilla would prefer > organizing these in some other way, I'm not opposed; the goal here is > discoverability and there are likely any number of ways to succeed in that > goal. > > Cheers! > -Clint > > On Wednesday, May 22, 2024 at 12:25:12 PM UTC-7 Rob Stradling wrote: > >> A few years ago, Sectigo created >> https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share >> information about our "Guard Rails" project. Quoting that bug: >> *“Guard Rails” is a convenient name for a series of programmatic checks >> we are putting in place to confirm certificate orders for compliance with >> specific requirements before issuance can occur. Guard Rails are like >> Certificate Lints, except that they may be stricter than what CA/B Forum >> and root program policies require. By defining and adding these checks, we >> can eliminate potential sources of misissuance and achieve higher overall >> issuance quality. This initiative is borne in part from the understanding >> that human-based processes are fundamentally error prone, and to the degree >> we can implement defined machine processes, our error rate will go down.* >> >> >> We took steps <https://bugzilla.mozilla.org/show_bug.cgi?id=1724476#c1> >> (comment >> #1) to avoid this bug being seen as an "incident" bug: >> *Since this bug is intended to be a repository for information and >> discussion rather than a response to any particular CA Compliance incident, >> I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not >> putting [ca-compliance] in the Whiteboard field. We chose to deviate from >> the "<CA Name>: <Incident Summary>" bug title format for the same reason.* >> >> However, at some point since then somebody decided to add the >> "[ca-compliance]" whiteboard tag, which seems problematic to us. >> >> In order to clearly identify this type of information sharing "bug", and >> even to encourage other CAs to consider doing likewise, we would like to >> propose a new whiteboard tag: >> >> [ca-infosharing] >> >> -- >> Rob Stradling >> Distinguished Engineer >> Sectigo Limited >> >> >> >> -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org > <https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaaQiU_MJE_vhBPtwTeHtDO%2BgzydOfukHd%2B1pfAhF7J5Gg%40mail.gmail.com.
