Thanks Wayne. Happy to update with that information. We’ll try to provide it 
all be end of the year, definitely before Jan 12. I can answer two of these 
generally now:

 

* Reason that publicly-trusted certificates are in use

- They are used on websites and infrastructure accessed through browsers. There 
are some that don’t need to be publicly trusted certificates, but the systems 
still check revocation. If Mozilla blocked the certs, the impact is minimal. If 
the certificates are revoke, the infrastructure goes down. Would you like me to 
identify which ones could be blocked by Mozilla vs. revoked?

 

* Reason that the provision for 30-day certificates isn't helpful

- The blackout periods don’t allow any change in infrastructure so replacing 
the certificates is just as difficult as changing the domain names. Even large 
non-tech companies don’t have a ton of automation so it’s not surprising that 
they’ll need more days to replace the certs if their blackout period ends the 
12th.

 

Of course, I’ll provide further information in the incident report as more 
specific information comes in.

 

From: Wayne Thayer <wtha...@mozilla.com> 
Sent: Thursday, December 20, 2018 9:04 AM
To: Jeremy Rowley <jeremy.row...@digicert.com>
Cc: r...@sleevi.com; mozilla-dev-security-policy 
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Underscore characters

 

Jeremy,

 

On Wed, Dec 19, 2018 at 10:55 PM Jeremy Rowley via dev-security-policy 
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > wrote:

Done: 



https://bugzilla.mozilla.org/show_bug.cgi?id=1515564

Thanks for submitting this. 



It ended up being about 1200 certs total that we are hearing can’t be replaced 
because of blackout periods.

These 1200 are only the ones that can't be replaced by Jan 15th and will cause 
outages if revoked then?

 

I don't think the information you've supplied is anywhere close to what Ryan 
asked for or what the community needs in order to make the decision you're 
asking for. I'm looking for specifics on why every cohort (i.e. every 
deployment scenario for every customer requesting an extension) of these 
certificates can't be revoked, such as:

* Specific per-customer change freeze dates and the rationale for them

* Explanations of the effort and risk involved in replacing them

* Reason that publicly-trusted certificates are in use

* Reason that the provision for 30-day certificates isn't helpful

 

Only with this information can we have some assurance that any exceptions are 
limited to the bare minimum and that we're able to learn and improve.

 

Without this information, we're still in the situation of blindly trusting 
DigiCert to do the right thing, which is no different than having a CA report 
an incident after the fact.

 

Is it realistic to expect that you can provide the level of detail that Ryan 
and I are requesting prior to 15-Jan?

 


From: Ryan Sleevi <r...@sleevi.com <mailto:r...@sleevi.com> > 
Sent: Wednesday, December 19, 2018 11:05 AM
To: Jeremy Rowley <jeremy.row...@digicert.com 
<mailto:jeremy.row...@digicert.com> >
Cc: r...@sleevi.com <mailto:r...@sleevi.com> ; mozilla-dev-security-policy 
<mozilla-dev-security-pol...@lists.mozilla.org 
<mailto:mozilla-dev-security-pol...@lists.mozilla.org> >
Subject: Re: Underscore characters



Look forward to seeing and discussing once the full scope of the request is 
shared.



On Wed, Dec 19, 2018 at 12:21 PM Jeremy Rowley <jeremy.row...@digicert.com 
<mailto:jeremy.row...@digicert.com>  <mailto:jeremy.row...@digicert.com 
<mailto:jeremy.row...@digicert.com> > > wrote:

We will post the full list of exceptions today. 



One of the big factors should be the risk to the industry/community if the 
certificates aren’t revoked. Perhaps we can identify what the risk to the 
community is in revocation delays first? There’s no need to know the exact 
certs to talk about what the risk associated with underscore characters is. 
Could you please explain the risk to the community in a revocation delay as the 
“unreasonable” argument isn’t really supported without that understanding. 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to