+1. CAs should be required to support certificate problem reports sent through a specified email address. It simplifies the process a lot if CAs use at least one common mechanism.
> On Aug 8, 2017, at 12:22 PM, Jonathan Rudenberg via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > >> On Aug 8, 2017, at 10:36, David E. Ross via dev-security-policy >> <dev-security-policy@lists.mozilla.org> wrote: >> >> On 8/7/2017 8:09 PM, Jonathan Rudenberg wrote: >>> >>>> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy >>>> <dev-security-policy@lists.mozilla.org> wrote: >>>> >>>> On 16/05/17 02:26, userwithuid wrote: >>>>> After skimming the responses and checking a few CAs, I'm starting to >>>>> wonder: Wouldn't it be easier to just add another mandatory field to >>>>> the CCADB (e..g. "revocation contact"), requiring $URL or $EMAIL via >>>>> policy and just use that to provide a public list? >>>> >>>> Well, such contacts are normally per CA rather than per root. I guess we >>>> could add it on the CA's entry. >>> >>> I’ve been reporting a fair amount of misissuance this week, and the >>> responses to the Problem Reporting question in the April CA communication >>> leave a lot to be desired. Several CAs do not have any contact details at >>> all, and others require filling forms with captchas. >>> >>> I think it’d be very useful if CAs were required maintain a problem >>> reporting email address and keep it current in the CCADB, this requirement >>> could go in the Mozilla Root Store policy or the CCADB policy. If they want >>> to also maintain other modes of contact, they can but no matter what an >>> email address should be required. >>> >>> Jonathan >>> >> >> I think that a public point of contact for a certification authority was >> a requirement under Mozilla's policy. I cannot find such a requirement >> now unless the Baseline Requirements, which are included by reference in >> Mozilla's policy, require it. > > Yes, section 4.9.3 of the Baseline Requirements says: > >> The CA SHALL provide Subscribers, Relying Parties, Application Software >> Suppliers, and other third parties with clear instructions for reporting >> suspected Private Key Compromise, Certificate misuse, or other types of >> fraud, compromise, misuse, inappropriate conduct, or any other matter >> related to Certificates. The CA SHALL publicly disclose the instructions >> through a readily accessible online means. > > However, it does not specify that email is required. I’m proposing that > Mozilla require that one of the methods for reporting be email and that the > email address be recorded in the CCADB. > > Jonathan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
