Re: GRCA: Out-of-date CPS provided in CCADB
On Sun, May 10, 2020 at 09:16:41AM -0700, irvinfly--- via dev-security-policy wrote: > Hi, I'm researching the status of Taiwan GCA and coincidence to find this > issue. I will try to find a relative staff at National Development > Council to get back. Coincidentally, I happened to stumble over https://bugzilla.mozilla.org/show_bug.cgi?id=1463975, which if I'm reading it correctly, indicates that the GRCA has more-or-less ceased operating. I'm of the opinion that that their pending removal does not absolve them of the need to abide by Mozilla Policy and community norms in the meantime, however practically speaking I'd be surprised if you got much of a useful response. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: GRCA: Out-of-date CPS provided in CCADB
Hi, I'm researching the status of Taiwan GCA and coincidence to find this issue. I will try to find a relative staff at National Development Council to get back. - Irvin (volunteer at moztw community) Matt Palmer於 2020年5月7日星期四 UTC+8下午8時18分07秒寫道: > In trying to validate the problem reporting e-mail address for > https://crt.sh/?id=657220608, I grovelled through the CCADB CSV-o'-Doom > (freshly downloaded for that "new CSV" smell ), and the CPS link > therein refers to http://grca.nat.gov.tw/download/GPKI_CP_eng_v1.7.pdf > which, at the time of writing, is dated "January 31, 2013". > > It also has no Section 1.5.2 (at all), and Section 1.4, "Contact Details", > does not have any contact details in it, but merely refers the interested > reader to http://grca.nat.gov.tw/, which... is in (I assume) Chinese, which > I sadly cannot read. > > This all makes it rather difficult to report a key compromise, and I'd > really appreciate it if (a) GRCA could fix this up ASAP, and (b) other CAs > could cast an eye over their CPSes to make sure they're not six years > out-of-date. > > - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Mozilla's Expectations for OCSP Incident Reporting
Wayne Thayer via dev-security-policy writes: >It was recently reported [1] that IdenTrust experienced a multi-day OCSP >outage about two weeks ago. Just to understand the scope of this, what was the impact on end users? If it went on for multiple days then presumably no-one noticed it, the second reference: https://community.letsencrypt.org/t/identrust-ocsp-producing-errors/120677 states: Usually few clients do OCSP checks of the intermediate cert, thus this probably doesn’t show up very often. >From the report it looks like a very specific config was required to even notice it. If an OCSP responder crashes on the Internet and no-one checks it, does it make a difference? (Interesting to see that the Wikipedia page for this philosophical question helpfully shows a photo of "A fallen tree in a forest" to illustrate the concept). Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy