We regret your impression that we take this issue with anything less than the utmost seriousness.
We have opened a ticket and are actively working with our CA software vendor to address the underlying issue. Rather than stopping there, we have been working concurrently to put into place the necessary checks against openssl-blacklist independently of the CA software vendor. Whether through our CA software vendor or independently, we are committed to finding a long-term solution that is effective and efficient. We will provide regular updates of our progress to the bug (to which this message has also been posted). On Wednesday, March 11, 2020 at 1:25:19 PM UTC-5, Ryan Sleevi wrote: > On Wed, Mar 11, 2020 at 1:46 PM Chris Kemmerer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > You are correct, each compliance violation is considered an incident. > > However in our opinion we have not violated our CP/CPS or the current > > Baseline Requirements. Although this is a complex issue with no definite > > consensus on which authoritative list to use (only suggestions), we do have > > a weak keys detection mechanism in place, it does detect Debian weak keys > > (although it's not perfect) and it also detects ROCA vulnerable keys. > > > I've commented on the bug as much, but I find this response deeply > disappointing and disconcerting. > > This CA ignored a widely known, explicitly circulated list of > known-compromised keys, and is now doubling down that there's nothing wrong > with this. The justification is "This key was not known to be compromised > /by us/", with their rationale of "The BRs explicitly tell us where we > could find a list of known weak/compromised keys, but doesn't say we have > to look at it, and so our elective ignorance is a virtue, not a vice". > > Whatever your view of the correctness [1] of this argument, as a systemic > response from a CA, the entrenchedness here suggests that unless the CA can > be hand-held into being trustworthy, they will do the minimum possible > thing. > > I appreciate the suggestions for improvement, and that's at least slightly > positive, but if the answer is "You have to tell us to read that page or we > won't, even if you tell us /about/ that page", then... meh, that's not a CA > that inspires confidence. > > [1] https://www.youtube.com/watch?v=hou0lU8WMgo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
