On 26/11/2018 16:31, Nick Lamb wrote:
In common with others who've responded to this report I am very
skeptical about the contrast between the supposed importance of this
customer's systems versus their, frankly, lackadaisical technical response.
This might all seem harmless but it ends up as "the boy who cried wolf".
If you relay laughable claims from customers several times, when it
comes to an incident where maybe some extraordinary delay was
justifiable any good will is already used up by the prior claims.
CA/B is the right place for CAs to make the case for a general rule
about giving themselves more time to handle technical non-compliances
whose correct resolution will annoy customers but impose little or no
risk to relying parties, I personally at least would much rather see CAs
actually formally agree they should all have say 28 days in such cases -
even though that's surely far longer than it should be - than a series
of increasingly implausible "important" but ultimately purely
self-serving undocumented exceptions that make the rules on paper worthless.
It should be noted that the counter-measures that some posts have
expected of the end-site in question may not always be realistic
(Speaking generally, as I have not data on the specifics of this end-
site):
1. Having a spare certificate ready (if done with proper security, e.g.
a separate key) from a different CA may unfortunately conflict with
badly thought out parts of various certificate "pinning" standards.
2. Being critical from a society perspective (e.g. being the contact
point for a service to help protect the planet), doesn't mean that the
people running such a service can be expected to be IT superstars
capable of dealing with complex IT issues such as unscheduled
certificate replacement due to no fault of their own.
3. Not every site can be expected to have the 24/7 staff on hand to do
"top security credentials required" changes, for example a high-
security end site may have a rule that two senior officials need to
sign off on any change in cryptographic keys and certificates, while a
limited-staff end-site may have to schedule a visit from their outside
security consultant to perform the certificate replacement.
Thus I would be all for an official BR ballot to clarify/introduce
that 24 hour revocation for non-compliance doesn't apply to non-
dangerous technical violations.
Another category that would justify a longer CA response time would be a
situation where a large batch of certificates need to be revalidated due
to a weakness in validation procedures (such as finding out that a
validation method had a vulnerability, but not knowing which if any of
the validated identities were actually fake). For example to recheck a
typical domain-control method, a CA would have to ask each certificate
holder to respond to a fresh challenge (lots of manual work by end
sites), then do the actual check (automated).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
