On Fri, 10 May 2019 02:05:17 +0000 Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1550645 > > Anyway, let me know what questions, comments, etc you have. Thanks Jeremy, If DigiCert is able to retrospectively achieve confidence that issuance would have been permitted (because their records are good enough to go back and see the CAA DNS records that were fetched but not used or at the least the assessment made of those records at the time) I personally think there is no need to revoke certificates that were in some sense legitimately issued. To revoke them in these circumstances seems perverse. This also rewards keeping high quality issuance records that let you go back and understand what went wrong. The BRs mandate some record keeping, but we definitely don't always see evidence of good quality record keeping in incident reports (I would count ISRG / Let's Encrypt here definitely). If DigiCert turns out not to have the records, or checking isn't done for whatever reasons then I think all 1053 affected certs should be revoked, without trying to justify narrowing it down further. In the margins, e.g. if DigiCert can see that some cases have no CAA, but in cases with CAA it's not possible to be sure if it would have permitted issuance, I think we need to ask for all 1053 to be revoked for consistency rather than making complicated decisions that have the effect of penalizing some subscribers for doing the Right Thing. I don't endorse the plan of revoking 16 certs based on CAA information that's far (perhaps more than 12 months) newer than the issuance, I don't think this is compatible with the declared philosophy of the CAA and so it makes the message about what CAA is or is not for too muddled. Revoking all 1053 makes more sense than revoking 16 on this basis. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
