Re: Changing CCADB domains

2017-05-15 Thread Kathleen Wilson via dev-security-policy
Here are the changes we are requesting to be made on Friday, May 19, at 1pm PDT.

1) https://mozillacacommunity.force.com/
will be changed to
https://ccadb.force.com/
(This is the CA login page, and the domain CAs see when they are logged into 
the CCADB)

2) https://mozillacaprogram.secure.force.com/
will be changed to
https://mozilla-ccadb.secure.force.com/
(This is the domain for the Mozilla reports that are published directly from 
the CCADB)

Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-08 Thread Rob Stradling via dev-security-policy

On 06/05/17 10:25, Jesper Kristensen via dev-security-policy wrote:


Mozilla could CNAME from ccadb.org to .force.com, and then
declare that the ccadb.org URLs are the official ones.

Is that what you meant, Peter?


You cannot set up a CNAME without configuring Salesforce, since they
would not know your Host/SNI header, and they would not serve a cert
that is valid for your domain.


Ah.


You can set up a new domain in Salesforce while keeping the old
mozillacacommunity.force.com without premium support, as long as the new
domain is a custom domain and not a force.com domain.


Or Mozilla could setup https://login.ccadb.org to simply return an HTTP 
temporary redirect to .force.com.


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-05 Thread Rob Stradling via dev-security-policy

On 05/05/17 16:08, Gervase Markham via dev-security-policy wrote:

On 05/05/17 10:22, Rob Stradling wrote:

Mozilla could CNAME from ccadb.org to .force.com, and then
declare that the ccadb.org URLs are the official ones.


It would need to be .ccadb.org, as we plan to use
www.ccadb.org as an introductory website for the CCADB, once Mozilla IT
configures things correctly ;-)


How about...

login.ccadb.org => mozillacacommunity.force.com
(to be changed on May 19th to => ccadb.force.com)

reports.ccadb.org => mozillacaprogram.secure.force.com
(to be changed on May 19th to => ccadb.secure.force.com)

?

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-05 Thread Gervase Markham via dev-security-policy
On 05/05/17 10:22, Rob Stradling wrote:
> Mozilla could CNAME from ccadb.org to .force.com, and then
> declare that the ccadb.org URLs are the official ones.

It would need to be .ccadb.org, as we plan to use
www.ccadb.org as an introductory website for the CCADB, once Mozilla IT
configures things correctly ;-)

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-05 Thread Rob Stradling via dev-security-policy

On 05/05/17 04:25, Peter Bowen via dev-security-policy wrote:

On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via
dev-security-policy  wrote:

All,

I think it is time for us to change the domains that we are using for the CCADB 
as follows.

Change the links for...

1)  CAs to login to the CCADB
from
https://mozillacacommunity.force.com/
to
https://ccadb.force.com/

2) all published reports
from
https://mozillacaprogram.secure.force.com/
to
https://ccadb.secure.force.com/


We asked Salesforce for a temporary redirect from the old to the new URLs, but 
that was declined because we're not paying for premium support for the CCADB. 
(Other than this change, I do not currently see the need for us to pay for 
premium support.)


Is it also a "premium" feature to use custom domain names?  I think it
would probably make sense to use ccadb.org (which seems to belong to
Mozilla) rather than force.com.


Mozilla could CNAME from ccadb.org to .force.com, and then 
declare that the ccadb.org URLs are the official ones.


Is that what you meant, Peter?

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-04 Thread Peter Bowen via dev-security-policy
On Wed, May 3, 2017 at 10:52 AM, Kathleen Wilson via
dev-security-policy  wrote:
> All,
>
> I think it is time for us to change the domains that we are using for the 
> CCADB as follows.
>
> Change the links for...
>
> 1)  CAs to login to the CCADB
> from
> https://mozillacacommunity.force.com/
> to
> https://ccadb.force.com/
>
> 2) all published reports
> from
> https://mozillacaprogram.secure.force.com/
> to
> https://ccadb.secure.force.com/
>
>
> We asked Salesforce for a temporary redirect from the old to the new URLs, 
> but that was declined because we're not paying for premium support for the 
> CCADB. (Other than this change, I do not currently see the need for us to pay 
> for premium support.)

Is it also a "premium" feature to use custom domain names?  I think it
would probably make sense to use ccadb.org (which seems to belong to
Mozilla) rather than force.com.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-04 Thread Kathleen Wilson via dev-security-policy
On Wednesday, May 3, 2017 at 1:21:29 PM UTC-7, Nick Lamb wrote:
> If you believe there are, or are likely to be, CAs trying to fill out the 
> survey a bit late, it may make sense to wait for that before triggering this 
> change, so as to avoid the (it seems almost inevitable) response that they 
> tried to do the survey but they were using the old link and it didn't work...


Good point. We will ask Salesforce to make this change on May 19.

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Changing CCADB domains

2017-05-03 Thread Nick Lamb via dev-security-policy
Thanks for your notice Kathleen.

One thought: Very often several CAs ask for more time to complete the Mozilla 
survey, either explicitly, or implicitly by just not filling it out in a timely 
fashion and saying they're very busy and will do it "soon" if they're asked.

If you believe there are, or are likely to be, CAs trying to fill out the 
survey a bit late, it may make sense to wait for that before triggering this 
change, so as to avoid the (it seems almost inevitable) response that they 
tried to do the survey but they were using the old link and it didn't work...
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Changing CCADB domains

2017-05-03 Thread Kathleen Wilson via dev-security-policy
All,

I think it is time for us to change the domains that we are using for the CCADB 
as follows.

Change the links for...

1)  CAs to login to the CCADB
from
https://mozillacacommunity.force.com/
to
https://ccadb.force.com/

2) all published reports
from
https://mozillacaprogram.secure.force.com/
to
https://ccadb.secure.force.com/


We asked Salesforce for a temporary redirect from the old to the new URLs, but 
that was declined because we're not paying for premium support for the CCADB. 
(Other than this change, I do not currently see the need for us to pay for 
premium support.)

So, when we make this change, it will be a breaking change for everyone using 
the current links.

To make this change happen, we will file a Salesforce bug and request that the 
change happen on a certain date, within a certain 24 hour window. So, we're 
planning to request that this change happen on a Friday.

I would send an email via the CCADB to all included CAs before and after the 
change.

I would also need to update all of Mozilla's wiki pages that have these links. 
i.e. all the wiki pages with instructions about CA login, public-facing 
reports, and the CA Communication responses.

I suspect this change will also impact crt.sh.

Is there anything that I have missed in regards to what will be impacted when 
we make this change?

Does anyone have concerns or feedback on this?

Cheers,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy