On Tue, 9 Feb 2021 14:29:15 -0700 Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> All, > GlobalSign has provided a very detailed incident report in Bugzilla - > see https://bugzilla.mozilla.org/show_bug.cgi?id=1690807#c2. > There are a few remaining questions that still need to be answered, > so this email is just to keep you aware. > Hopefully later this week I'll be able to come back and see if people > are satisfied and whether we can proceed with the root inclusion > request. I have a question (if I should write it in Bugzilla instead please say so it is unclear to me what the correct protocol is) GlobalSign have provided a list of 112 other certificates which were issued for the same reason, I examined some of them manually and determined that they are in appearance unextraordinary (2048-bit RSA keys for example) and so it's unsurprising we didn't notice they were issued previously. However, the list does not tell me when these certificates were ordered or, if substantially different, when the email used to "validate" these orders was sent. As a result it's hard to be sure whether these certificates were issued perhaps only a few weeks after they were ordered, which is a relatively minor oversight, or, like the incident certificate, many years afterwards. I'd like maybe a column of "order date" and "email sent date" if the two can be different. - I also have noticed something that definitely isn't (just) for GlobalSign. It seems to me that the current Ten Blessed Methods do not tell issuers to prevent robots from "clicking" email links. We don't need a CAPTCHA, just a "Yes I want this certificate" POST form ought to be enough to defuse typical "anti-virus", "anti-malware" or automated crawling/ cache building robots. Maybe I just missed where the BRs tell you to prevent that, and hopefully even without prompting all issuers using the email-based Blessed Methods have prevented this, Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy