On Sat, Mar 9, 2019 at 2:49 PM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
> The question I'm having trouble answering, and I would appreciate if this > was answered by the Mozilla CA Certificate Policy Module Owner, is > > "does Mozilla treat this finding as a violation of the current language of > section 7.1 of the CA/B Forum Baseline Requirements"? > I think for Mozilla, this is best answered by Kathleen, Wayne, the Mozilla CA Policy Peers, and which I am not. On behalf of Google and the Chrome Root Authority Program, and consistent with past discussion in the CA/Browser Forum regarding expectations [1], we do view this as a violation of the Baseline Requirements. As such, the providing of incident reports, and the engagement with public discussion of them, represents the most transparent and acceptable course of action. Historically, we have found that the concerns around incident reporting have been best addressed through a single, unified, and transparent engagement in the community. Much as ct-pol...@chromium.org has happily and intentionally supported collaboration from counterparts at Mozilla and Apple, Mozilla has historically graciously allowed for the unified discussion on this mailing list, and the use of their bugtracker for the purpose of engaging publicly and transparently on incident reports that affect the Web PKI. Should Mozilla have a different interpretation of the Baseline Requirements’ expectations on this, we’d seek guidance as to whether or not the bug tracker and mailing list continue to represent the best place for discussion of this specific issue, although note that historically, this has been the case. This should make it clear that CAs which extracted 64 bits of entropy as an input to an algorithm that then set the sign bit to positive and potentially decreasing the entropy to 63 bits, as opposed to unconditionally guaranteeing that there was a positive integer with _at least_ 64 bits of entropy, are non-compliant with the BRs and program expectations, and should file incident reports and include such disclosures in their reporting by and assertions to auditors. [1] https://cabforum.org/pipermail/public/2016-April/007245.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy