Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On Fri, Apr 20, 2018 at 12:33 PM, Wayne Thayer wrote: > At this point we have a few choices: > > 1. Do nothing about requiring email as a problem reporting mechanism. > Instead, take on the related issues of disclosure of the reporting > mechanism and receipt confirmation in

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

At this point we have a few choices: 1. Do nothing about requiring email as a problem reporting mechanism. Instead, take on the related issues of disclosure of the reporting mechanism and receipt confirmation in Mozilla policy, via the CAB Forum, or both. 2. Go ahead with the proposal to require

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On 04/18/2018 10:51 PM, Dimitris Zacharopoulos via dev-security-policy wrote: >> 1 - it's easier. I have seen CAs use generic "support request" forms that >> are difficult to decipher, especially when not in one's native language. >> 2 - It scales better. When someone is trying to report the same

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On 18/4/2018 9:50 μμ, Wayne Thayer via dev-security-policy wrote: On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via dev-security-policy wrote: On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote: Having to go through

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On Wed, Apr 18, 2018 at 2:50 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via > dev-security-policy wrote: > > > On 18/4/2018 12:04 πμ, Jeremy Rowley via

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On Wed, Apr 18, 2018 at 3:14 AM, Dimitris Zacharopoulos via dev-security-policy wrote: > Mail servers receive tons of SPAM everyday and an email address target is > a very easy target for popular CAs. We should also consider the possibility > of accidental

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote: Having to go through captchas to even get the email sent is just another obstacle in getting the CA a timely certificate problem report Nowadays, people deal with captchas all the time in various popular web sites. I don't

RE: Policy 2.6 Proposal: Require CAs to support problem reports via email

:50 AM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Policy 2.6 Proposal: Require CAs to support problem reports via email Section 4.9.3 of the CA/Browser Forum's Baseline Requirements says: "The CA SHALL provide Subscribers, Relying Parties, App

Policy 2.6 Proposal: Require CAs to support problem reports via email

Section 4.9.3 of the CA/Browser Forum's Baseline Requirements says: "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud,