On Mon, Oct 8, 2018 at 11:25 AM piotr.grabowski--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Here's the incident report: > > 1. How your CA first became aware of the problem (e.g. via a problem > report submitted to your Problem Reporting Mechanism, via a > > discussion in mozilla.dev.security.policy, or via a Bugzilla bug), and the > date. > > Email from Wayne Thayer Oct 1, 2018 > > 2. A timeline of the actions your CA took in response. > > A. Oct 2, 2018 - Investigation began. > B. Oct 4, 2018 - Found impacted certificate policy templates. > C Oct 4, 2018 - All the certificates owners were contacted and agreed on > issuance new BR compliant certificates in time convenient for them, > preferably not later than by the end of this year and revocation > current ones. > D. Oct 8, 2018 - Fixed impacted certificate policy templates. > E. Oct 8, 2018 - This disclosure. Can you please re-review https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report ? In the design of this template, one of the concerns was about understanding *how* a problem happened, not just how a CA responded. This is why it includes text such as "This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done." 1) When were the policy templates introduced 2) When were the policy templates reviewed 3) What are the templates review practices 4) What controls, if any, exist to ensure that all templates are appropriate to the controls? The misconfiguration of certificate policy templates is a significant incident, precisely because there have been significant CA misissuances as a result of it. In this regard, a CA that is misconfiguring policy templates is arguably as negligent as one failing to perform domain validation - this is an incredibly significant mistake by a CA. A responsible CA seeking continued trust in their certificates would thus want to demonstrate that they understood how significant this was, and provide detailed descriptions about the timeline of events and the controls and practices they have in place to mitigate the risk of template misconfiguration. Anything short of that is gross negligence on behalf of a CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
