On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> I don’t think I’m arguing that CAs should ever ignore the BRs. I’m arguing > that deciding the consequences of failing to follow the BRs falls in the > hands of the browsers. But I think you definitely highlighted why this > discussion is confusing. I think all agree on the following: > > 1. Failure to revoke by Jan 15th is a non-compliance with the BRs. > 2. Non-compliances require an incident report > 3. The incident should appear on the audit report. Side note – there > won’t be audit criteria around this particular issue by the time all certs > are revoked. We’re planning to inform our auditor of course (already have > in fact), but without audit criteria any delay in issuance essentially goes > undetected unless someone in this community notices. Because the audit > criteria won’t be updated until well after our audit report, if we were a > bad acting CA, the incident would just never show up. > > > > I think the only thing we disagree on is: > > 1. Can the browser say what happens for a failure to comply with the > BRs before the failure happens. > > Right, and I think this is where Matt was getting into the moral hazard side of things, because I think this gets to the heart of the "ignore the BRs". If this is the question being answered, then it should be that every CA who had a customer with some need would, rather than tell that customer no, tell them "Go talk to the browsers". I think that's actively harmful and unacceptable. It's unacceptable, because if shifts the burden wholly on to the browsers to ensure the CAs compliance, and it sets a dangerous precedent that all BRs are up for negotiation, so long as it's before the failure happens. Further, if the CA doesn't like the answer, then they can say no - but all of the cost is borne by the community, in discussing and evaluating, not by the CA, who might decide it's not worth an incident. That's why I posed it as a separate thing - it's not about discussing what happens before the failure happens - but that this specific discussion we're having is about a remediation plan for underscores. This is similar to discussions for remediations for other incidents, such as sub-CAs that aren't following the BRs, metadata in OUs, and other forms of invalid domain names. The 'standard' expectation is 24 hours. SC12 extended that substantially. And we're discussing why some feel that even SC12's proposed remediation plan is problematic, and needing concrete details. > Is that a fair assessment? I see why you wouldn’t want to engage in the > question you asked (“Hypothetically, what would happen if we did (Bad > Thing X)". That would be terrible. Much better to treat this question as > “We know X is going to happen. What’s the best way to mitigate the concerns > of the community?” Exception was the wrong word in my original post. I > should have used “What would you like us to do to mitigate when we miss the > Jan 15ht deadline?” instead. Apologies for the confusion there. > While I think "We know X is going to happen" is still problematic (especially since DigiCert hasn't committed to actually having X happen), I think you're correct that we're discussing about "How do we best remedy this issue in a timely fashion", which is consistent with https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
