FYI, we posted this today:
https://bugzilla.mozilla.org/show_bug.cgi?id=1550645 Basically we discovered an issue with our CAA record checking system. If the system timed out, we would treat the failure as a DNS failure instead of an internal failure. Per the BRs Section 3.2.2: "CAs are permitted to treat a record lookup failure as permission to issue if: . the failure is outside the CA's infrastructure; . the lookup has been retried at least once; and . the domain's zone does not have a DNSSEC validation chain to the ICANN root" The failure was not outside our infrastructure so issuance was improper. We checked all the applicable CAA records and found 16 where the CAA record would not permit us to issue if we were issuing a new cert today. What we are proposing is to revoke these certificates and reissue them (if they pass all the proper checks). The rest would pass if we issued today so we were going to leave these where they are while disclosing them to the Mozilla community. Other suggestions are welcome. The issue was put into the code back when CAA record checking became mandatory (Sept 2017). We generally have a peer review of our code so that at least one other developer has looked at the system before release. In this case, neither PM nor a second reviewer was involved in the development. We've since implemented more stringent development processes, including ensuring a PM reviews and brings questions about projects to the compliance team. Anyway, let me know what questions, comments, etc you have. Thanks! Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
