On Thu, Sep 7, 2017 at 11:17 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Mozilla has decided that there is sufficient concern about the > activities and operations of the CA "PROCERT" to collect together our > list of current concerns. That list can be found here: > https://wiki.mozilla.org/CA:PROCERT_Issues > > Note that this list may expand or reduce over time as issues are > investigated further, with information either from our or our > community's investigations or from PROCERT. > > We expect PROCERT to engage in a public discussion of these issues and > give their comments and viewpoint. We also hope that our community will > make comments, and perhaps provide additional information based on their > own investigations. > > When commenting on these issues, please clearly state which issue you > are addressing on each occasion. The issues have been given identifying > letters to help with this. > > At the end of a public discussion period between Mozilla, our community > and PROCERT, which we hope will be no longer than a couple of weeks, > Mozilla will move to make a decision about the continued trust of > PROCERT, based on the picture which has then emerged. > (Unless stated, wearing a personal hat) Hi Gerv, Do you have an anticipated time period for discussion? That is, what represents a time for which PROCERT may submit feedback to have it considered, and at what point you will consider discussion closed? Based on the information provided, Issue K represents an unconditional security issue, in as much as names such as "autodiscover" and "owaserver" are widely-used domains for Outlook Web Access. Many clients attempt to access resources at this (unqualified) domain, relying on the combination of DNS suffix search and locally-trusted certificates to ensure proper resolution. By issuing a publicly trusted certificate for this name - and then failing to revoke it - represents a critical security risk and arguably a dereliction of responsibility. Combined with Issue D and Issue G, it is questionable as to how it was ever validated, and suggest serious failings over the most critical security control of a CA - which is validation of a domain. Combined with Issue L, Issue Q, Issue R, Issue X, and Issue W, serious questions are raised about the oversight and technical ability of the staff, as these are indicative of serious control failures. Outside of Issue K, I would suggest that Issue O and Issue S show a lack of awareness of developments in the CA ecosystem, as both of these controls were direct responses to widely reported CA security issues. The failure to take appropriate steps - or to appreciate the reasons behind such steps - are indicative of a systematic misunderstanding of the security function of a CA. On the basis of the sum of these issues, it would seem that the criteria in Section 7.3 of Mozilla policy - https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ - is met: "Mozilla will disable or remove a certificate if the CA demonstrates ongoing or egregious practices that do not maintain the expected level of service or that do not comply with the requirements of this policy." _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy