Thank you for your update. This does not appear to answer the questions raised. I would appreciate if GoDaddy shared a more meaningful response, in line with addressing the concerns Nick raised, as well as the outstanding matters on the bug.
In particular, this response fails to analyze what went wrong, what has been done systemically by GoDaddy to prevent future incidents, and what are practices other CAs should consider to prevent similar incidents. In addition to the outstanding question from Nick, for this sort of response to be acceptable at all, more detail is needed: - What improvements were made, and why? - What training was done? What was changed? How is the training performed and evaluated? Why did the previous training fail to address this? Why is training seen as an acceptable answer, given previous training failed? What is done to support and monitor compliance to training? - What changes were made to the system? Why would they address this issue? How does that relate to why the issue? In 2020, publicly trusted CAs should not be expecting that such “incident reports”, if this can even be called that, are sufficient. As stewards of the trust placed in them by Mozilla and the broader community, and by other root stores, substantive and highly detailed, technical responses are expected. The goal of these reports is to both simultaneously address concerns caused by the failure to adhere to expectations and to help ensure that all CAs have an opportunity to learn from and implement similar mechanisms. If the response does not have sufficient information to allow for an independent implementation of whatever mitigations, and to the same level of assurance, it quite simply is not a response that meets expectations. We need to be able to work together, as an industry, to move things forward, and that requires complete transparency. On Thu, May 28, 2020 at 7:55 PM Daniela Hood via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello, > > We have made improvements on our problem reporting process, provided more > training to our agents and made changes in our system to assure that such > error would not happen again. We will keep on working with the community to > find solutions that could benefit the industry, in hopes to avoid such > errors from occurring. > > Daniela Hood > GoDaddy > > > -----Original Message----- > From: Nick Lamb <n...@tlrmx.org> > Sent: Friday, May 22, 2020 4:50 PM > To: dev-security-policy@lists.mozilla.org > Cc: Daniela Hood <dxh...@godaddy.com> > Subject: Re: GoDaddy: Failure to revoke certificate with compromised key > within 24 hours > > Notice: This email is from an external sender. > > > > On Fri, 22 May 2020 22:48:42 +0000 > Daniela Hood via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > Hello, > > > > Thank you for all the comments in this thread. We filed an incident > > report related to the revocation timing that can be followed here: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1640310. We also > > identified the error in revocation reason as a user error, corrected > > the error and provided feedback to the employee. > > In addition to Ryan's concerns about the supposed ambiguity of a pretty > clear rule in the BRs I am as always interested in what can be learned from > incidents that might help everybody else. > > > What mechanism, if any, would have detected this "user error" in the > absence of a report by a third party to m.d.s.policy ? > > Every CA has humans doing stuff, and humans make mistakes. Whether that's > a Let's Encrypt team member fat-fingering a server configuration or a > Symantec employee using google.com rather than a Symantec name for a > test. But even though it's expected for humans to make mistakes, we demand > more of the Certificate Authority than we could ask of one human. > > Where humans are necessary they will make mistakes and so you need > compensating controls. In this case that might mean reviewing critical work > done by humans. Depending on volume that might mean a second person looks > at every revocation, or it might mean a sample is examined once a week for > example. > > I'd like to see incident reports like this not stop at "user error" for > this reason. Why wasn't the "user error" caught? What (other than "feedback > to the employee") prevents it happening again ? > > > Nick. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
