Re: Changing CCADB domains
Here are the changes we are requesting to be made on Friday, May 19, at 1pm PDT. 1) https://mozillacacommunity.force.com/ will be changed to https://ccadb.force.com/ (This is the CA login page, and the domain CAs see when they are logged into the CCADB) 2) https://mozillacaprogram.secure.force.com/ will be changed to https://mozilla-ccadb.secure.force.com/ (This is the domain for the Mozilla reports that are published directly from the CCADB) Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On 06/05/17 10:25, Jesper Kristensen via dev-security-policy wrote: Mozilla could CNAME from ccadb.org to .force.com, and then declare that the ccadb.org URLs are the official ones. Is that what you meant, Peter? You cannot set up a CNAME without configuring Salesforce, since they would not know your Host/SNI header, and they would not serve a cert that is valid for your domain. Ah. You can set up a new domain in Salesforce while keeping the old mozillacacommunity.force.com without premium support, as long as the new domain is a custom domain and not a force.com domain. Or Mozilla could setup https://login.ccadb.org to simply return an HTTP temporary redirect to .force.com. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
Den 05-05-2017 kl. 11:22 skrev Rob Stradling via dev-security-policy: On 05/05/17 04:25, Peter Bowen via dev-security-policy wrote: On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via dev-security-policy wrote: All, I think it is time for us to change the domains that we are using for the CCADB as follows. Change the links for... 1) CAs to login to the CCADB from https://mozillacacommunity.force.com/ to https://ccadb.force.com/ 2) all published reports from https://mozillacaprogram.secure.force.com/ to https://ccadb.secure.force.com/ We asked Salesforce for a temporary redirect from the old to the new URLs, but that was declined because we're not paying for premium support for the CCADB. (Other than this change, I do not currently see the need for us to pay for premium support.) Is it also a "premium" feature to use custom domain names? I think it would probably make sense to use ccadb.org (which seems to belong to Mozilla) rather than force.com. Mozilla could CNAME from ccadb.org to .force.com, and then declare that the ccadb.org URLs are the official ones. Is that what you meant, Peter? You cannot set up a CNAME without configuring Salesforce, since they would not know your Host/SNI header, and they would not serve a cert that is valid for your domain. You can set up a new domain in Salesforce while keeping the old mozillacacommunity.force.com without premium support, as long as the new domain is a custom domain and not a force.com domain. -- Jesper Kristensen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On 05/05/17 16:08, Gervase Markham via dev-security-policy wrote: On 05/05/17 10:22, Rob Stradling wrote: Mozilla could CNAME from ccadb.org to .force.com, and then declare that the ccadb.org URLs are the official ones. It would need to be .ccadb.org, as we plan to use www.ccadb.org as an introductory website for the CCADB, once Mozilla IT configures things correctly ;-) How about... login.ccadb.org => mozillacacommunity.force.com (to be changed on May 19th to => ccadb.force.com) reports.ccadb.org => mozillacaprogram.secure.force.com (to be changed on May 19th to => ccadb.secure.force.com) ? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On 05/05/17 10:22, Rob Stradling wrote: > Mozilla could CNAME from ccadb.org to .force.com, and then > declare that the ccadb.org URLs are the official ones. It would need to be .ccadb.org, as we plan to use www.ccadb.org as an introductory website for the CCADB, once Mozilla IT configures things correctly ;-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
Yes On Fri, May 5, 2017 at 2:22 AM Rob Stradling wrote: > On 05/05/17 04:25, Peter Bowen via dev-security-policy wrote: > > On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via > > dev-security-policy wrote: > >> All, > >> > >> I think it is time for us to change the domains that we are using for > the CCADB as follows. > >> > >> Change the links for... > >> > >> 1) CAs to login to the CCADB > >> from > >> https://mozillacacommunity.force.com/ > >> to > >> https://ccadb.force.com/ > >> > >> 2) all published reports > >> from > >> https://mozillacaprogram.secure.force.com/ > >> to > >> https://ccadb.secure.force.com/ > >> > >> > >> We asked Salesforce for a temporary redirect from the old to the new > URLs, but that was declined because we're not paying for premium support > for the CCADB. (Other than this change, I do not currently see the need for > us to pay for premium support.) > > > > Is it also a "premium" feature to use custom domain names? I think it > > would probably make sense to use ccadb.org (which seems to belong to > > Mozilla) rather than force.com. > > Mozilla could CNAME from ccadb.org to .force.com, and then > declare that the ccadb.org URLs are the official ones. > > Is that what you meant, Peter? > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On 05/05/17 04:25, Peter Bowen via dev-security-policy wrote: On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via dev-security-policy wrote: All, I think it is time for us to change the domains that we are using for the CCADB as follows. Change the links for... 1) CAs to login to the CCADB from https://mozillacacommunity.force.com/ to https://ccadb.force.com/ 2) all published reports from https://mozillacaprogram.secure.force.com/ to https://ccadb.secure.force.com/ We asked Salesforce for a temporary redirect from the old to the new URLs, but that was declined because we're not paying for premium support for the CCADB. (Other than this change, I do not currently see the need for us to pay for premium support.) Is it also a "premium" feature to use custom domain names? I think it would probably make sense to use ccadb.org (which seems to belong to Mozilla) rather than force.com. Mozilla could CNAME from ccadb.org to .force.com, and then declare that the ccadb.org URLs are the official ones. Is that what you meant, Peter? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via dev-security-policy wrote: > All, > > I think it is time for us to change the domains that we are using for the > CCADB as follows. > > Change the links for... > > 1) CAs to login to the CCADB > from > https://mozillacacommunity.force.com/ > to > https://ccadb.force.com/ > > 2) all published reports > from > https://mozillacaprogram.secure.force.com/ > to > https://ccadb.secure.force.com/ > > > We asked Salesforce for a temporary redirect from the old to the new URLs, > but that was declined because we're not paying for premium support for the > CCADB. (Other than this change, I do not currently see the need for us to pay > for premium support.) Is it also a "premium" feature to use custom domain names? I think it would probably make sense to use ccadb.org (which seems to belong to Mozilla) rather than force.com. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
On Wednesday, May 3, 2017 at 1:21:29 PM UTC-7, Nick Lamb wrote: > If you believe there are, or are likely to be, CAs trying to fill out the > survey a bit late, it may make sense to wait for that before triggering this > change, so as to avoid the (it seems almost inevitable) response that they > tried to do the survey but they were using the old link and it didn't work... Good point. We will ask Salesforce to make this change on May 19. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Changing CCADB domains
Thanks for your notice Kathleen. One thought: Very often several CAs ask for more time to complete the Mozilla survey, either explicitly, or implicitly by just not filling it out in a timely fashion and saying they're very busy and will do it "soon" if they're asked. If you believe there are, or are likely to be, CAs trying to fill out the survey a bit late, it may make sense to wait for that before triggering this change, so as to avoid the (it seems almost inevitable) response that they tried to do the survey but they were using the old link and it didn't work... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Changing CCADB domains
All, I think it is time for us to change the domains that we are using for the CCADB as follows. Change the links for... 1) CAs to login to the CCADB from https://mozillacacommunity.force.com/ to https://ccadb.force.com/ 2) all published reports from https://mozillacaprogram.secure.force.com/ to https://ccadb.secure.force.com/ We asked Salesforce for a temporary redirect from the old to the new URLs, but that was declined because we're not paying for premium support for the CCADB. (Other than this change, I do not currently see the need for us to pay for premium support.) So, when we make this change, it will be a breaking change for everyone using the current links. To make this change happen, we will file a Salesforce bug and request that the change happen on a certain date, within a certain 24 hour window. So, we're planning to request that this change happen on a Friday. I would send an email via the CCADB to all included CAs before and after the change. I would also need to update all of Mozilla's wiki pages that have these links. i.e. all the wiki pages with instructions about CA login, public-facing reports, and the CA Communication responses. I suspect this change will also impact crt.sh. Is there anything that I have missed in regards to what will be impacted when we make this change? Does anyone have concerns or feedback on this? Cheers, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy