On Wed, Apr 10, 2019 at 12:23 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I'm either confused, or I disagree. We're talking about a certificate that > deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents > [1] defines misissuance, in part, as "RFC non-compliant". The certificate > as described strictly complies with RFC 5280 (and presumably all other > policies). In this circumstance, I do not expect an incident report. > > Having said that, I would be pleased if a CA voluntarily published an > incident report explaining how the mistake happened and steps taken to > learn and improve. That level of transparency would be seen as a positive > rather than a mark against the CA. > > - Wayne > > [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident I don't think you're confused Wayne, and I'd agree. Deviation from a SHOULD is not, in and of itself, an incident. It's not unreasonable that members of the community might detect that and ask why, but I don't think that makes it a mistake, so much as a curiousity. That said, I do agree that CAs that deviate from SHOULDs, intentionally or unintentionally, benefit from being transparent about this, as it helps build understanding about potentially unmet use cases, find alternatives (for example, if deviation would pose an interoperability risk, despite being a SHOULD), or just generally be a demonstration of the CA's own monitoring and compliance regime that it notices such deviations. Having more systematic sharing of knowledge is, I think, a net benefit to the community - and even unintentional situations, whether detected internally or externally, provide extremely valuable learning opportunities that help protect against deviations from MUSTs :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy