Re: Audit Reminders for Intermediate Certs
On 5/6/20 5:19 AM, Ryan Sleevi wrote: Should we be creating CA incidents for repeats? I wasn’t sure if this was just an administrative hiccup on the Mozilla side in processing the case, or if this is a matter where the CA is not disclosing in a timely fashion. CAs directly add audit information to intermediate certificate records in the CCADB, so there is no dependency on the Mozilla side for this. https://wiki.mozilla.org/CA/Email_templates#Outdated_Audit_Statements_for_Intermediate_Certificates "This email is automatically sent by the CCADB on the first Tuesday of each month to CAs who have outdated audit statements in their intermediate cert records. An audit statement is determined to be outdated when its Audit Period End Date is older than 1 year + 3 months." Last year I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1549861 regarding Camerfirma not providing updated audit statements for their subCAs. This year Camerfirma received one notice for the outdated audit statement for an intermediate cert, before they fixed it. I didn't post the "Summary of April 2020 Outdated Audit Statements for Intermediate Certs" here in m.d.s.p, because it was empty. But perhaps I should post those empty summaries as well. Anyways, my preference is to file a CA incident bug whenever a CA receives more than one of these "Outdated Audit Statements for Intermediate Certs" reminders for consecutive months. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DRAFT May 2020 CA Communication/Survey
> I have drafted a potential CA Communication and survey, and will greatly > appreciate your input on it. > > https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication > > Direct link to read-only copy of the draft survey: > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J42AUSv I believe that all of the questions/concerns have been resolved, so I will open up the survey now, and prepare to send the email to the CAs about it. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
GRCA: Out-of-date CPS provided in CCADB
In trying to validate the problem reporting e-mail address for https://crt.sh/?id=657220608, I grovelled through the CCADB CSV-o'-Doom (freshly downloaded for that "new CSV" smell ), and the CPS link therein refers to http://grca.nat.gov.tw/download/GPKI_CP_eng_v1.7.pdf which, at the time of writing, is dated "January 31, 2013". It also has no Section 1.5.2 (at all), and Section 1.4, "Contact Details", does not have any contact details in it, but merely refers the interested reader to http://grca.nat.gov.tw/, which... is in (I assume) Chinese, which I sadly cannot read. This all makes it rather difficult to report a key compromise, and I'd really appreciate it if (a) GRCA could fix this up ASAP, and (b) other CAs could cast an eye over their CPSes to make sure they're not six years out-of-date. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Filtering on problem reporting e-mail addresses
This has happened twice now, with two different CAs, so I'm going to raise it as a general issue. I've had one CA reject e-mails because the HELO name wasn't to their liking (which I was able to fix). The other, which has just started happening now, is utterly inscrutible -- "550 Administrative prohibition - envelope blocked". Given that the envelope sender and recipient hasn't changed from the numerous other problem reports I've sent over the past month or so, I'm really at a loss as to how to proceed. Questions that arise in my mind: 1. To what extent is it reasonable for a CA to reject properly-formed e-mails to the CPS-published e-mail address for certificate problem reporting? 2. What is a reasonable response from a problem reporter to a rejected problem report e-mail? 3. In what ways are the required timelines for revocation impacted by the rejection of a properly-formed certificate problem report? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
