On Tue, Jun 02, 2020 at 06:38:12PM -0700, Benjamin Seidenberg via dev-security-policy wrote: > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists.
I've sent several hundred certificate problem reports to a number of CAs in the past few months, and I'm yet to get marketing spam from Sectigo as a result. I have had one (suspected) scrape-from-problem-report incident from a different CA, but I can't be 100% sure, since I was at that time still sending out problem reports from my personal address. I now use per-report plus-addressed addresses that go to a dedicated account -- its possible that the spamcannons don't recognise + as a valid local-part character, though. <grin> > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. No, I am not aware of anything specific to CAs/PKIs that would prohibit such a practice. You'd need to fall back to general data-handling legislation like GDPR, California's new statute, and so on (as relevant to your jurisdiction). > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? It's certainly dumb as rocks, because the sort of people who are reporting problems to CAs are not, by and large, the sort of people who are going to be purchasing managers for things like managed PKI, and those same people are also probably going to be the sort of people who are not fans of getting spammed. However, Rule 1, I believe, is that spammers are dumb. If they weren't, they wouldn't scrape whois data for abuse reporting addresses... As far as making requirements in Mozilla Policy, I have my doubts that it'd really fly. As you note, the far more risky problem of having problem reporters exposed to potential unpleasantness from incompetent subscribers being unhappy at the wrong people: > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. was not conclusively addressed, and so I doubt there would be much interest in a rule that said "thou shalt not spam people who report problems". For all those reasons and more, I've switched to a separate e-mail account and per-reort addresses -- no (obvious) human to threaten with spurious lawsuits, and if I get spam it's blindingly obvious where it came from. The automated reporting system I've setup also watches OCSP for revocation times and keeps full and complete records of all correspondence and timestamps, so I can tell exactly what (for example) the reporting timeframes were, and whether the BR requirements were met. On that front, actually, would it be of any use to you (or others) if there was a way to route your problem reports through my Revokinator system? It'd give you some amount of protection against spam and the such like, and built-in OCSP / revocation time tracking. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
