Re: Suspicious test.com Cert Issued By GlobalSign

Fri, 24 Mar 2017 14:03:24 -0700 

On Friday, 24 March 2017 10:11:36 UTC, Gervase Markham  wrote:
> I spoke about this with Doug at the CAB Forum meeting. The system which
> collects the data is not integrated with the system to which the domains
> are added. The validation specialist concerned, contrary to policy
> ("it's just a test"), simply did not add any data to the data recording
> system relating to the addition of this domain to the authorized list
> for the account.
> 
> This raises the question of whether Mozilla should attempt to require
> such linkage by policy

I agree with you Gerv that it seems impractical to fix this with Mozilla policy.

There are a number of things CAs can and should be doing here to reduce the 
chance that they're put in the same position as GlobalSign, but I don't know if 
any of them are amenable to being specified by policy.

Good software engineering principles can help. There should be a simple, 
documented process for testing things, including certificate issuance. If there 
are ad hoc processes, it's really easy for those to end up infringing policy. 
But I can't see Mozilla legislating some particular software engineering 
process.

Good HR can help too. "Don't walk past" rules are appropriate, every employee 
is entitled to identify something as a security problem, and to see it get 
solved, covering up problems has to be what gets you in trouble, not telling 
people about them. But this needs morale, and it's just not practical for 
Mozilla to control the morale at a programme member CA.

Finally though, and maybe there is an opportunity to write policy here but I'm 
not sure how, the CA needs to be proactively monitoring its own systems for 
anomalies and outliers. The test.com certificate was an outlier because there 
was no data in the data recording system about it. That had a perfectly 
sensible, but BR defying, explanation. It doesn't need a team of people, or 
even a whole full-time employee, but _somebody_ at the CA should be looking for 
this type of problem so they find it before everybody else does.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
              • ... Gervase Markham via dev-security-policy
              • ... douglas.beattie--- via dev-security-policy
              • ... Gervase Markham via dev-security-policy
              • ... douglas.beattie--- via dev-security-policy
              • ... Nick Lamb via dev-security-policy
              • ... Gervase Markham via dev-security-policy
              • ... douglas.beattie--- via dev-security-policy
              • ... okaphone.elektronika--- via dev-security-policy
              • ... tarah--- via dev-security-policy
              • ... Gervase Markham via dev-security-policy
              • ... Nick Lamb via dev-security-policy
  • RE: Suspicious test.com Ce... Nio via dev-security-policy
  • RE: Suspicious test.com Ce... Nio via dev-security-policy

Reply via email to