I believe the intent of the certificate problem reporting in the BRs is to encourage CAs to accept and respond to issues. Although the intent is not specifically stated, my reasoning is based on the fact the BRs requiring CAs to maintain a 24x7 ability to respond, a 24 hour ability to process certificate problems, and a public reporting mechanism. To support this objective, I think we should make the process as easy as possible for reporters, including mandating email. Finding the email addresses is a pain with little reward. Having to go through captchas to even get the email sent is just another obstacle in getting the CA a timely certificate problem report. Therefore, I'd adopt Ryan Hurst's proposal and require that the email be in a standardized format (no more hunting for email aliases) without any blockers to prevent the certificate problem report. Filtering through the mess of emails you get on those aliases is the CAs responsibility.
Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org> On Behalf Of Wayne Thayer via dev-security-policy Sent: Tuesday, April 17, 2018 10:50 AM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Policy 2.6 Proposal: Require CAs to support problem reports via email Section 4.9.3 of the CA/Browser Forum's Baseline Requirements says: "The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly disclose the instructions through a readily accessible online means.” Mozilla has made a central list of these mechanisms in the CCADB [1] but, as it turns out, some of them (such as web forms with CAPTCHAs) are difficult to use. It is proposed that Mozilla policy go above and beyond the BR requirement to state that email must be one of the problem reporting methods supported. Another argument in favor or requiring CAs to accept problem reports via email is that it provides the reporter with evidence of the submission via their email client and server logs. Arguments against this requirement include the burden placed on CAs who must sort through the large quantities of SPAM received by any published email address, concerns with email reliability, and the reporter's inability to confirm that their email has been received by the CA. According to CCADB [1], all but a handful of CAs already support problem reporting via email. I would appreciate everyone's input on this topic. This is: https://github.com/mozilla/pkipolicy/issues/98 [1] https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
