Hi Gerv, Is it your intent that once OneCRL-revoked intermediates are brought into compliance that they'd be removed from OneCRL, or are they gone for good, a warning sign to those who follow.
Alex PS: Maybe it'd be good to use a source of randomness that is not from the UK government. On Tuesday, November 8, 2016 at 11:19:15 AM UTC-5, Gervase Markham wrote: > Hi everyone, > > I'd like to take some action about persistent failures to properly > disclose intermediates. The deadline for this was June, and CAs have had > a number of reminders, so there's no excuse. > > Of course, if intermediates aren't disclosed, we can't be certain what > they are, but crt.sh has a good idea of many of them: > https://crt.sh/mozilla-disclosures#undisclosed > > There is also a list on that page of certs which CAs have disclosed but > not provided audit info, but given that you can get off that list by > putting _anything_ in the relevant box in Salesforce, I'm worried about > perverse incentives if we go after people on that list at the moment: > https://crt.sh/mozilla-disclosures#disclosureincomplete > > Anyway, considering the first list: what do we do? I'm not particularly > in favour of sending another nagging email. We could just un-trust the > lot, but that might be quite impactful. So here's my proposal: we play > Russian Roulette. We choose 3 certs from the list each week and add them > to OneCRL, and email the CAs concerned to tell them we've done it. > Hopefully after a few weeks, they'll get the message. > > RFC 3797 has a handy mechanism called "verifiable random selection", > which allows you to make a random selection from a list that can be > publicly verified as random. And, even more handily, I've written an > implementation of it in JavaScript: > http://www.gerv.net/hacking/vrs/ > > We would choose 3 certs from the list as it exists every Monday at 2pm > UK time, using the following sources of randomness for the algorithm: > > 1) UK National Lottery "Lotto" numbers, not including bonus ball > 2) UK National Lottery "Thunderball" numbers, not including Thunderball > 3) UK National Lottery "Lotto Hotpicks" numbers > > All would be from the draws which take place on the Saturday preceding > the Monday in question. https://www.national-lottery.co.uk/results > > Comments? > > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
