Re: Audit Letter Validation (ALV) on intermediate certs in CCADB
On Thu, Dec 19, 2019 at 9:23 AM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tue, Nov 26, 2019 at 6:10 PM Nick Lamb via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, 25 Nov 2019 14:12:46 -0800 > > Kathleen Wilson via dev-security-policy > > wrote: > > > > > CAs should have been keeping track of and resolving their own known > > > problems in regards to not fully following the BRs and Mozilla > > > policy. For example, I expect that a situation in which I responded > > > with an OK in 2016 would have been corrected in the 3 years since > > > that email was written. > > > > Perhaps to this end it would be useful for Mozilla's periodic survey > > letters to always ask each CA to list any exceptional circumstances they > > believe currently apply to them? > > We've included a question about complying with the intermediate audit > requirements in the January survey, but not a more general question about > exceptions. I feel that an open-ended question such as this will be > confusing for CAs to answer, and moreover I don't want to create the > impression that Mozilla grants exceptions for policy violations because, as > a general rule, we don't. > This would act both as a reminder to Mozilla of any such exceptions > > which they granted but may have assumed meanwhile ceased to be > > relevant, AND to the CA of any such exceptions upon which they find > > themselves still relying. > > > > The publication of CA responses is an opportunity for Mozilla, Peers > > and the wider community to comment on any discrepancy. > Maybe rather than including it in the survey, Mozilla should make a requirement that exception information be included in the yearly reporting? It could simply be a separate letter from the CA management requesting a continuation of the exception or could be a statement of excluded topics in the auditor's report, depending on the situation and structure of the audit. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Audit Letter Validation (ALV) on intermediate certs in CCADB
On Thu, 19 Dec 2019 10:23:19 -0700 Wayne Thayer via dev-security-policy wrote: > We've included a question about complying with the intermediate audit > requirements in the January survey, but not a more general question > about exceptions. I feel that an open-ended question such as this > will be confusing for CAs to answer, and moreover I don't want to > create the impression that Mozilla grants exceptions for policy > violations because, as a general rule, we don't. As a general rule you don't grant exceptions, and so exceptions are let's say, an exception to that general rule? Hence the name. So, to the same end as my original proposal, I recommend instead that Mozilla personalizes any CA survey sent out to a CA which they believe currently benefits from any such exceptions - setting out what those exceptions to its rules are for that CA. And in all communications the text should be clear that any exceptions the CA believed were in place are in fact spent as far as Mozilla is concerned unless they are enumerated in this communication. In the event there are in fact NO exceptions, that's just one small tweak to the text. In the event that one or two CAs benefit from some minor exception which still has force, it's a little bit of work, and in the process a firm reminder to both Mozilla and the CA of the ongoing price of such exceptions. And in the event that it's actually dozens of exceptions across many or most CAs I hope the realisation of the effort involved will cause Wayne to reconsider his previous claim that "as a general rule, we don't". One valuable opportunity from m.d.s.policy is for CAs to learn from each others mistakes and in doing so avoid making the same or similar mistakes themselves. But Mozilla has opportunities to learn from mistakes here too, and I feel as though the mismatch between Kathleen's expectation (that a situation should have "resolved" since 2016) and the CA's understanding (that this constituted an indefinite exception to Mozilla policy) is such a mistake. Nick. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy