If they're not going to revoke within 24 hours and willingly violate that part of the policy, I would at least expect them to, within that 24 hours, produce a description of why this happened, what they're doing to fix it, and when they expect the certificates to be replaced (along with an expectation of when a hard revocation deadline would be regardless of customer responsiveness). Once the underlying issue is fixed, I would expect them to ring in to say that it's fixed and what they did to fix it.
That's just basic good-faith engagement that demonstrates that the issuing CA at least takes the issue as seriously as the community does, and engenders trust that the issue is being addressed. Let's Encrypt just responded this week to an encoding compliance failure with a live production code fix (including code review and sign off) within 6 hours of being notified. While not every issuing CA may take security seriously enough to employ engineers on staff who can research, author and deploy a production code fix in a 24 hour period, every issuing CA should be able to muster the strength to keep the community informed of their plans and progress in however long it takes to address the issue. -- Eric On Fri, Aug 11, 2017 at 10:33 AM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Apparently they haven’t yet, but we’ll assume that they will. > > Does the community expect a remediation plan for their code and then a > revocation-and-replacement plan? > > > > Ben Wilson, JD, CISA, CISSP > > VP Compliance > > +1 801 701 9678 > > > > > > From: Alex Gaynor [mailto:agay...@mozilla.com] > Sent: Friday, August 11, 2017 8:31 AM > To: Ben Wilson <ben.wil...@digicert.com> > Cc: Jeremy Rowley <jeremy.row...@digicert.com>; Jonathan Rudenberg < > jonat...@titanous.com>; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Certificates with less than 64 bits of entropy > > > > Have they fixed whatever issue there is with their PKI infrastructure that > leads to this issue? From skimming, I see this pool contains certs issued > as recently as one month ago. > > > > Alex > > > > On Fri, Aug 11, 2017 at 10:26 AM, Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@li > sts.mozilla.org> > wrote: > > With regard to Siemens, given the large number of certificates and the > disruption that massive revocations will have on their infrastructure, what > does this community expect them to do? > > > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-bounces+ben <mailto: > dev-security-policy-bounces%2Bben> =digicert....@lists.mozilla.org > <mailto:digicert....@lists.mozilla.org> ] On Behalf Of Jeremy Rowley via > dev-security-policy > Sent: Thursday, August 10, 2017 12:01 PM > To: Jonathan Rudenberg <jonat...@titanous.com <mailto: > jonat...@titanous.com> >; mozilla-dev-security-pol...@lists.mozilla.org > <mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: RE: Certificates with less than 64 bits of entropy > > Hi Jonathan, > > InfoCert's sub CA was revoked on August 1, 2017. We'll reach out to > Siemens. They moved to Quovadis a while ago and are no longer issuing from > that Sub CA. > > Jeremy > > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-bo > unces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> = > digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org> ] > On Behalf Of Jonathan Rudenberg via dev-security-policy > Sent: Thursday, August 10, 2017 9:26 AM > To: mozilla-dev-security-pol...@lists.mozilla.org <mailto: > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Certificates with less than 64 bits of entropy > > > > On Aug 10, 2017, at 11:20, Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@li > sts.mozilla.org> > wrote: > > > > QuoVadis (560) > > Siemens Issuing CA Internet Server 2016 (560) > > > > D-TRUST (224) > > D-TRUST SSL Class 3 CA 1 2009 (178) > > D-TRUST SSL Class 3 CA 1 EV 2009 (45) > > D-TRUST Root Class 3 CA 2 EV 2009 (1) > > > > DigiCert (85) > > Siemens Issuing CA Class Internet Server 2013 (82) > > InfoCert Web Certification Authority (3) > > > > Izenpe S.A. (62) > > EAEko Herri Administrazioen CA - CA AAPP Vascas (2) (62) > > > > Government of The Netherlands, PKIoverheid (Logius) (55) > > Digidentity Services CA - G2 (55) > > > > Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) (38) > > Cihaz Sertifikası Hizmet Sağlayıcı - Sürüm 4 (38) > > It looks like my summary missed one QuoVadis intermediate: > > Bayerische SSL-CA-2016-01 (3) > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@li > sts.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@li > sts.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
