On February 9, 2018 at 1:24:12 AM, Wayne Thayer (wtha...@mozilla.com) wrote:
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have stopped responding 'good' for unknown certs back in 2013) needs to select, purchase, and deploy an entirely new OCSP system, is 5 months a really long time? From their perspective, probably not. I agree that from their perspective that's a short period of time. However, I strongly believe that asking the public to bear the burden of a CA's own incompetence is, while historically what has been done, not tenable moving forward. In the specific case of the OCSP issues I question why we should give CAs half a year to remediate a fault that had already been a requirement for 4 years when it was discovered. In many ways a CA's primary job is knowing and following the rules, so why are we giving CAs who fail in such colossal fashion a free pass? I don't believe there is a standard answer to this question that can apply to a whole class of issues, but I do think we could do a better job of communicating our expectations when a situation like this arises by making a statement such as 'being a CA that has been granted the public's trust, Mozilla expects problem X to be resolved in Y days'. Responsible CAs will meet the deadline and thus distinguish themselves from CAs that simply aren't taking the problem seriously. If Mozilla provides a deadline and a CA misses it, what's the penalty? I believe a graduated notion of penalties and risk mitigation would make it easier for Mozilla to push CAs. If the only penalty is distrust then "little" things like a slow but steady trickle of misissued certificates, operating your OCSP responder out of compliance for 4 years, or failing to get a BR audit for 3 years after they became required never rise to the level of a distrust conversation. If, on the other hand, there exists a set of penalty tiers a CA can be placed on that path relatively quickly. Instead of a "sudden" (from the perspective of the CA or subscribers who aren't engaged with policy discussions on mdsp) distrust thread, there is an escalation that makes everyone aware of a CA's need to shape up. -Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy