A major difficulty I found in trying to report compromised keys to CAs was in finding a reporting address to use. Now, by itself, that could be solved by making CCADB reporting addresses be authoritative, but that would also require standardisation of reporting types, and it's a whole rabbit hole. There are also many other reasons why someone might want to examine the CPS that pertains to a particular certificate, so it makes sense to be able to easily find that document as and when required.
Being unable to find the correct CPS for a CA had several causes: 1. Certificates don't *have* to have a cPSuri (although the vast majority do); 2. cPSuri, when present, doesn't point at a CPS, but rather at a CA's repository, which often contains a myriad of documents which often are unclearly related to the certificate in hand; 3. When a relevant-looking CPS is found, it can be in a non-English language, with no clear pointers to the location of the (Mozilla-required) non-authoritative English translation of that document. My various sub-proposals are, unsurprisingly, closely aligned to these sub-issues. 1. Make cPSuri mandatory I assume there was a Very Good Reason for cPSuri to be optional, but for the life of me I can't think of what it would be. Unless someone comes up with the killer argument against it (and no, "it bloats certificates" doesn't count, IMAO), I think this one's a no brainer. When there's no link to a CPS, in any way shape or form, I'm left flailing around in the giant CCADB CSV o' doom to figure out where the CPS lives, and that... ain't easy. In one case, I sent a problem report to *completely* the wrong CA. If each certificate had a link to the right place, that problem, at least, couldn't happen. 2. Make the cPSuri actually point to the relevant CPS It seems odd to me that the BRs have relaxed what RFC5280 has to say about cPSuri, which is "The CPS Pointer qualifier contains a pointer to a Certification Practice Statement (CPS) published by the CA", to say "HTTP URL for the Subordinate CA's Certification Practice Statement, Relying Party Agreement or other pointer to online information provided by the CA". I'm not a fan of 5280's laxity regarding specifying *which* CPS published by the CA should be linked to, but at least it's pretty clear that the content at the end of the link should be *a* CPS, rather than the BRs allowing a CA to link to basically anything they like. The problem is that a CA's repository, or "online information provided by the CA", typically looks something like this: * CPS for Device PKI * Frambingaling CP and CPS v2.1 * Latest Certificate Practice Statement for Small Furry Creatures * Subscriber Agreement and Addendum for Something Something ... and so on. How I get from "I have a certificate that I need to report", which contains an issuer CN and not much else, to the correct document out of that list above, is a non-trivial problem. Having the cPSuri point *to the CPS* would completely solve that. There is a bit of a side point here, about whether the correct CPS to link to is CPS-at-time-of-issuance, or CPS-at-time-of-retrieval. Given that CAs don't seem to ever provide old CPSes in their repository, I assume that the general consensus is that the appropriate CPS to review is *always* the current version. Presumably, if a CA publishes a non-backwards-compatible CPS (ie the new CPS would not permit issuance of a certificate that was OK under the old CPS), the CA is obliged to revoke all those now-invalid certificates. 3. Require non-English language CPSes to link to the English translation I am sympathetic to CAs which operate primarily in a non-English market, in that they want their primary materials to be in the language of their market. That's no problem. However, there is a problem when I need to go from "here is a CPS I found in a language I don't speak" to "here is the corresponding CPS in English". So, I'd like to see it a requirement that the "primary language" CPS have, in some easily-findable-by-monoglots-like-myself spot, a link to the corresponding English transation for *this CPS*. A link to the "English language translations" repository doesn't help, for much the same reason that cPSuri linking to the CA's repository doesn't help. if I don't know what the translation of the relevant CPS' title is, I'm not going to be able to pick out the right English language CPS from the list. If the word "English" is in the text surrounding the link, that'd make it easy enough: ^F, "English", copy-paste URL, done. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
