On Mon, Mar 4, 2019 at 11:46 AM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> El lunes, 4 de marzo de 2019, 12:37:43 (UTC+1), arnold...@t-systems.com > escribió: > > The incident report can be found here, > https://bugzilla.mozilla.org/show_bug.cgi?id=1530718 > > Hello, > related to this... > > Is there a policy about test certificates and CT logs? > > Sometimes it's required to do "negative tests" to check our systems and it > can lead to a missisuance if a control fails, this typically would happen > for a test certificate that is issued for a domain owned by the CA and > revoked immediately after the test. > > It's clear that first thing is to test with a dev environment, but > sometimes it's required to do final validation tests in production, and, > let's agree, "sh*t happens" > > Now all these tests go public in the CT logs and are treated as any other > misissuance, and I don't know if it was discussed here in the past some > good practice for these test certificates and potential "controlled and > inoffensive" misissuances. Maybe a CA could disclose some "sandbox domain", > on which we can do tests without raising excessive concerns.. > Just to make sure: This isn't really a question about CT at all, is it? It's a question about CAs performing testing in production that leads to misissuances. As with any system, care should be taken before doing testing in production. If you're unable to test in a controlled environment, that likely reveals systemic flaws in how configuration deployment is managed. If "sh*t happens" in production, it's an incident, and it should be treated with the same degree of seriousness and urgency as one might expect, and I think any concerns would, by definition, not be excessive - because it reveals a real issue in production that could and should have been caught internaly beforehand. That's not to discourage testing, which I fear it might be seen as. I think CAs that do perform such tests are doing far better than CAs that do not, but if it results in misissuance, it's a misissuance all the same, and it's reasonable to be concerned and to understand. For example, incident reports would and should be expected to examine whether this was also tested on an internal system first, what and how the controls failed, and not just "The control that failed is being fixed" as a remediation, but how systemically the CA is improving their internal testing environment and production deployment to avoid divergence (and how that divergence happened in the first place). All of these things help the ecosystem improve, and don't seem unreasonable or onerous. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
