On Wed, Apr 18, 2018 at 2:50 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Wed, Apr 18, 2018 at 12:14 AM, Dimitris Zacharopoulos via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote: > > > >> Having to go through captchas to even get the email sent is just another > >> obstacle in getting the CA a timely certificate problem report > >> > > > > Nowadays, people deal with captchas all the time in various popular web > > sites. I don't understand this argument. Is someone wants to file a > > certificate problem report, they will take the extra "seconds" to pass > the > > "I am not a robot" test :) > > > > The arguments for email are: > 1 - it's easier. I have seen CAs use generic "support request" forms that > are difficult to decipher, especially when not in one's native language. > 2 - It scales better. When someone is trying to report the same problem to > a number of CAs, one email is better than filling out a bunch of forms > While this optimizes for problem reporters, rather than receivers, I worry that the impact it would have to problem receivers - both in cost and effectiveness (particularly for spam) - will effectively disadvantage problem reporters. Being on the receiving end of several email aliases for security bugs, the noise to signal is... overwhelming. Even Mozilla now requires that security issues in Mozilla products be reported through Bugzilla, rather than email - and my understanding is for similar reasons. > 3 - It automatically creates a record of the submission. Many forms provide > the user no confirmation unless they remember to take a timestamped screen > shot. > While this is true, would an alternative solution be to require that problem reports receive a distinct confirmation ID (e.g. in the way that Mozilla assigns bug numbers to problems reported through Bugzilla?). As mentioned in the CA/Browser Forum regarding voting, there's a number of ways and reasons for which mail might be 'sent' by a client but not ever actually delivered to the recipient mailbox - hence the suggestion that email itself is not sufficient to constitute a vote, but that its availability on the public mail archives being that proof - aka, a stable, distinct identifier. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy