On Tue, Feb 13, 2018 at 11:26 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > > The most recent BR audit report for the Visa eCommerce Root contains 3 > qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf > > Does Mozilla have any guidelines or official position on what constitutes > sufficient audit issues to result in sanctions? As Gerv described in the other thread [1], Mozilla's current approach is to document each issue and view them in aggregate, rather than defining a set of penalties that apply in given situations. Mozilla has certainly required actions from CAs as a condition to remaining in the program, but those "sanctions" have been defined in the context of specific situations. While I also find the idea of defining more generic penalties appealing on the surface, I'm not convinced that it would lead to better outcomes for our users. Frankly I'm stunned that > any CA in the Mozilla root program can apparently ignore the baseline > requirements for approximately 4 years after their effective date, get an > initial BR audit with multiple qualifications, and see no penalty from this > behavior. Their initial BR PITRA was in 2016. It lists 7 qualifications [2] And this is disregarding several other BR violations found in the > wild by independent researchers. I realize I'm banging the same drum as in > my other thread, but without consistent enforcement of escalating penalties > I don't believe we're teaching CAs anything other than that Mozilla will > ultimately forgive almost any transgression. Unless you catch them on a bad > day, in which case you might get distrusted entirely. > > In this particular case, my conclusion is that the existing Mozilla process is working. We have documented a number of issues that when considered in aggregate warrant an investigation. - Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/d-m48lVtYoQ/HvlXcfwWAQAJ [2] https://bug1301210.bmoattachments.org/attachment.cgi?id=8795503 -Paul (reaperhulk) > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy