On Thu, Dec 27, 2018 at 11:56:41PM +0000, Jeremy Rowley via dev-security-policy wrote: > The risk is primarily outages of major sites across the web, including > certs used in Google wallet. We’re thinking that is a less than desirable > result, but we weren’t sure how the Mozilla community would feel/react.
I don't think there's *any* result from all this that everyone would consider desirable -- otherwise we wouldn't need to have this conversation. > We’re still considering revoking all of the certs on Jan 15th based on > these discussions. I don’t think we’re asking for leniency (maybe we are > if that’s a factor?) I'm not sure I'd call it "leniency", but I think you're definitely asking for "special treatment" -- pre-judgment on a potential incident so you can decide whether or not it's worth it (to DigiCert) to deliberately break the rules. > Normally, we would just revoke the certs, but there are a significant > number of certs in the Alexa top 100. We’ve told most customers, “No > exception”. What were the criteria by which DigiCert decided which customers to grant exceptions to? My default assumption is "whichever ones will cost us the most money, on a risk-of-departure-weighted basis, if we revoke their misissued certs", so if DigiCert's criteria was different, I'd be keen to have my assumption changed. > I also thought it’s better to get the information out there so we can all > make rational decisions (DigiCert included) if as many facts are known as > possible. There are a number of areas that I think could stand to have some more facts added. First off, your customers. There is a certain amount of exposition in the pharmacy company bug, however I can't say that what's there so far fills me with a sense of contentment. You said in your most recent post, "Security vulnerabilities are patched based on their rating", and that lacking a CVSS it is difficult to get recognition of a problem. Would it be fair to say that this narrow approach to security is shared by all/most/some/none of the other similarly situated customers? As an aside, on the subject of "there's no CVSS score for this", let me fix that up, with the official WombleSecure(TM)(R)(Patent Pending) CVSS for "your certs are getting revoked": https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H 7.5 base, 7.2 temporal, and 8.9 environmental. All those scores are in the "high" band. "Availability" *is* one of the sides of the security triangle, after all. Focusing on the "what about next time?" aspect, which I believe is the most important, I'd be interested to know what your customers are planning on changing about their systems and processes, such that if a similar event happens in the future, the outcome won't be the same. A similar question applies, even more forcefully, to DigiCert itself. Clearly, whatever you've done so far didn't work, because these customers of yours didn't heed whatever warnings and caveats you provided, and built themselves systems and processes that are unable to comply with their agreements to DigiCert (and, by extension, relying parties). Hence, what is it that DigiCert plans to change, such that an equivalent result cannot happen in the future, given a similar event? There was one rather draconian possibility suggested up-thread, of DigiCert limiting itself to 100 days validity, and revoking a number of randomly-chosen certificates periodically. That would certainly remove any practical possibility of customers not being able to refresh their certificates if-and-when, however I can imagine it might be a bit of a shock to the system for many of them. Hence, I'd be interested in hearing what DigiCert's actual plans are, because if it were my call, *that* would be the single biggest factor in determining the disposition of an event like this. That errors occur is regrettable, but it's when they happen repeatedly that it becomes indefensible. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy