Section 4.9.3 of the CA/Browser Forum's Baseline Requirements says: "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means.”
Mozilla has made a central list of these mechanisms in the CCADB [1] but, as it turns out, some of them (such as web forms with CAPTCHAs) are difficult to use. It is proposed that Mozilla policy go above and beyond the BR requirement to state that email must be one of the problem reporting methods supported. Another argument in favor or requiring CAs to accept problem reports via email is that it provides the reporter with evidence of the submission via their email client and server logs. Arguments against this requirement include the burden placed on CAs who must sort through the large quantities of SPAM received by any published email address, concerns with email reliability, and the reporter's inability to confirm that their email has been received by the CA. According to CCADB [1], all but a handful of CAs already support problem reporting via email. I would appreciate everyone's input on this topic. This is: https://github.com/mozilla/pkipolicy/issues/98 [1] https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy