Re: High traffic on this list, and Mozilla root program involvement
All, While I understand the desire to normally have one Bugzilla Bug per root cause per CA, I do not have the bandwidth to do this. So, I am going to create one bug per CA that I find in the recent m.d.s.policy posts, and list all of the problems pertaining to that CA in their bug. Thanks to all of you for all of your efforts towards cleaning up the CA ecosystem. It has and will take a lot of work, but I greatly appreciate the forward momentum. For those of you awaiting response from me to your emails, please be patient as I am going to work on this for a while. (my inbox is a mess, so if there is anything urgent please put URGENT at the beginning of the email subject) Cheers, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: High traffic on this list, and Mozilla root program involvement
Hi Jeremy, On 09/08/17 21:57, Jeremy Rowley wrote: > I was thinking you should just have the Cas add them all for you. Makes it > easier on you and demonstrates they are tracking and remediating these > issues. If I were going to create a bug for these in Mozilla would you > prefer to see one bug per issue on one bug per CA. For example, should there > be a bug for all DigiCert issues or should there be one that describes too > long of serial number and another that says the field contains meta-data? That is a good point. Thank you for the suggestion. I would like one bug per root cause, ideally, but as bugs can be more easily duplicated against each other than split, err on the side of one bug per issue if the root causes have not been determined with sufficient clarity yet. If CAs wish to file bugs about their own issues, they should do so here: https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS=CA%20Certificate%20Mis-Issuance (We use the term "mis-issuance" broadly here.) Please include in the initial comment at least a full copy of the original report from this group, although you may elide details of certificates from other CAs. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: High traffic on this list, and Mozilla root program involvement
I was thinking you should just have the Cas add them all for you. Makes it easier on you and demonstrates they are tracking and remediating these issues. If I were going to create a bug for these in Mozilla would you prefer to see one bug per issue on one bug per CA. For example, should there be a bug for all DigiCert issues or should there be one that describes too long of serial number and another that says the field contains meta-data? -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham via dev-security-policy Sent: Wednesday, August 9, 2017 9:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: High traffic on this list, and Mozilla root program involvement On 09/08/17 00:12, Jeremy Rowley wrote: > Do you want that added as a new bug for all the issues listed? I'm not sure I follow. Do I want what added? I will be filing any additional appropriate bugs when I get around to triaging all the messages in this forum. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: High traffic on this list, and Mozilla root program involvement
On 09/08/17 00:12, Jeremy Rowley wrote: > Do you want that added as a new bug for all the issues listed? I'm not sure I follow. Do I want what added? I will be filing any additional appropriate bugs when I get around to triaging all the messages in this forum. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: High traffic on this list, and Mozilla root program involvement
Do you want that added as a new bug for all the issues listed? -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham via dev-security-policy Sent: Tuesday, August 8, 2017 10:02 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: High traffic on this list, and Mozilla root program involvement Hi everyone, Wow, traffic on this group has exploded :-) Thank you to everyone who has been bringing incidents to our attention. Clearly, many of these items need official responses and action from representatives of the Mozilla root program. I have been on holiday quite a lot recently, and that includes this week, and any time I have had has been fighting fires relating to my other responsibilities and requirements placed on me. But please rest assured, all this has not been forgotten. In the mean time, I would hope CAs would be picking up incidents relating to themselves, doing investigations and publishing best-practice-style incident reports here once those investigations were concluded. I probably need to write a wiki page on this, but in brief best practice involves much more than "we revoked the certificates concerned", it needs to say "this is how this happened", and "this is what we've done/are doing to make sure it won't happen again". Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy