On Wed, 28 Feb 2018 17:37:25 +0000 Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Hi everyone, > On February 2nd, 2018, we received a request from Trustico to mass > revoke all certificates that had been ordered by end users through > Trustico. Is this date (2 February, so almost four weeks ago) correct? In any case, my first thought here was to check whether Trustico understand what revocation would and would not achieve, and still want to go ahead. I know from dealing with Let's Encrypt users that people can get some ideas about what's going on with the Web PKI that bear no resemblance to reality, and although we have no formal duty to teach them better, there's no benefit to the world from pretending they're right. For example at least once a week we'll see Let's Encrypt users who want to revoke a certificate they've issued and are asking questions about how - almost always it turns out they don't have a sensible reason to revoke, e.g. they hoped revoking will reset their API rate limits, or the files are taking up too much disk space for them and of course revocation won't help with either of these things. > This raises a question about the MDSP policy and CAB Forum > requirements. Who is the subscriber in the reseller relation? We > believe this to be the key holder. However, the language is unclear. > I think we followed the letter and spirit of the BRs here, but I'd > like feedback, perhaps leading to a ballot that clarifies the > subscriber in a reseller relationship. I'm not sure that resellers in particular make this more murky than many other common scenarios, but if we come up with better and more clearly defined terminology that never hurts anybody. > This also brings up a ballot about the level of due diligence > required for cert revocation. We generally believe that the private > key or demonstration of domain control is sufficient to request > revocation. Others are at the CAs discretion. Should we clarify what > the due diligence looks like? Are there other things we should have > done or been doing? In this particular case I have a concern raised above (did Trustico _really_ want revocation?) that I think could and perhaps should have occurred to you at DigiCert and if it didn't I hope a lesson can be learned there. > What kind of transparency would the Mozilla community like around this > issue? There aren't many more facts than I shared above, but there is > a lot of speculation. Let me know what I can share to help alleviate > confusion and answer questions. It's not clear yet to me that it's a problem in this case, but where you're provided with proof of control over keys and there's dispute about whether you should have revoked the certs it seems like proof of control (not the keys themselves) for a random sample of affected certs is a good thing to show m.d.s.policy In most settings I think that this proof would not necessarily be helpful because it's going to need a neutral third party expert to explain what it means, but m.d.s.policy is if nothing else brimming with third party experts so it's welcome here. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
