On Fri, Mar 16, 2018 at 04:28:10AM +0000, Ben Wilson via dev-security-policy wrote: > 7. List of steps your CA is taking to resolve the situation and ensure > such issuance will not be repeated in the future, accompanied with a > timeline of when your CA expects to accomplish these things. > > A. CTJ scanned already-issued certificates to see if they contained the > incorrect string in the FQDN and to investigate if any additional > problematic certificates existed. > > B. CTJ patched its system on Mar 14.
This appears to be taking a much narrower definition of the term "such issuance" than is appropriate, IMO. Without more detail as to what the patch referred to contains, I'm concerned that the applied fix is likely to be little more than checking names against /^https:/, which whilst it "fixes" the problem reported, does nothing to prevent remarkably-similar-but-not-identical misissuance in the future. Band-aid fixes are not conducive to trustworthiness. Are there plans for the deployment of more holistic preventative measures, such as integrating pre-issuance checking via one or more of the established certificate linting programs, into CTJ's issuance pipeline? If not, why not? If yes, what is the timeline for such integration, and why was it not mentioned in the list of steps above? If the "patch" applied by CTJ was, in fact, to integrate pre-issuance linting, I would note that more detail around the nature of "patches" applied to CA systems in response to mis-issuance would prevent misunderstandings. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
