On Sat, Dec 9, 2017 at 7:50 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Sat, 9 Dec 2017 09:51:59 +0100 > Hanno Böck via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > On Fri, 8 Dec 2017 16:43:48 -0700 > > Wayne Thayer via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > The root CA is ultimately responsible for subordinate CAs it has > > > signed. > > > > I see a problem with that, as this is far from obvious. > > I saw "responsibility" here as meaning responsibility to the Trust > Stores on behalf of the Relying Parties. For the Relying Parties > themselves I think the right pattern is: Try filing a Problem Report > with the Issuer, if the result isn't satisfactory, complain to your > Trust Store(s). We can do the rest, can we not? > > Yes, I think we're talking about two separate problems. I was looking at this from Mozilla's perspective. > > > I'm mostly not concerned about the people following these things > > closely and are members of this list, but about random other people who > > happen to find problems. It surely seems beneficial for the certificate > > ecosystem to make sure that they can easily find the right place to > > report problems. It can be confusing even for people following these things. That's where I think collecting problem reporting info from audited sub-CAs in CCADB would help. For everyone else, finding the correct problem reporting information is mostly a matter of luck. Perhaps we should require an email address be included in the end-entity certificate? Unless that info was exposed in the browser, it would still be difficult to find, but at least it would then be in a consistent location. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy