On Fri, 23 Oct 2020 at 17:33, Ryan Sleevi <r...@sleevi.com> wrote: > > On Fri, Oct 23, 2020 at 8:55 AM Matthias van de Meent via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> The current MRSP do not bind the requirements on the reporting of >> incidents to the CA that the incident was filed on, but generally to >> CAs. >> >> Section 2.4 has the general requirement for a CA to report any >> incident (which is a failure to comply with the MRSP by any CA). So, >> if a CA is aware of an incident with another CA which is included in >> the Mozilla root store, that must be reported, and I agree with that. > > > This sounds like an overly broad reading of Mozilla Policy, and it's not > clear to me how you reached it. Could you walk me through the language and > help me understand how you reached that conclusion?
Section 2.4 specifies an incident as 'when _a_ CA fails to comply with any requirement of this policy'. So, an incident is any CA having a problem. The next sentence reads that "At a minimum, CAs MUST promptly report all incidents to Mozilla ...". This can (quite reasonably) be interpreted as that whenever a CA finds out that any CA fails to comply with any requirement of the policy, this failure to comply must be promptly reported to Mozilla. This is of course not applied this way, but this is quite the reasonable requirement. Only for the requirements after that the requirements are becoming more unreasonable for CAs that are not part of the incident. > It would seem like you might be reaching that conclusion from "When a CA" and > "CAs", is that right? Correct. > >> >> But, the requirements also extend to having to regularly update these >> incidents, and report these incidents in their audit letter, even if >> they are not related to that CA. > > > As mentioned above, this seems like an overly broad reading, and I'm > wondering if that's the source of confusion here. Understandably, it would > make no logical sense to expect a third-party reporter to provide updates for > a CA incident, whether that third-party is an individual or another CA. > > By the logic being applied here, the ultimate sentence in that same paragraph > would imply that, from the moment a CA incident is filed, all CAs in > Mozilla's Root Program must stop issuance until the affected CA has resolved > the issue, which certainly makes no logical or syntactical sense, or, > similarly, that Section 4.2 of the policy obligates CAs to respond on behalf > of other CAs. Yes, this is indeed the overly broad (and impractical) reading that I suggest to be updated to be more specific and clear about the intent. Note that I would like to keep the specific requirement for CAs to report newly found non-compliances by any CA in the Mozilla root store to Mozilla, even if this non-compliance originates outside the CAs own trust hierarchy. For section 2.4, it might also be as easy as replacing 'CAs' with 'the CA', as that would point to the CA of 'When a CA' instead of all CAs in the program. -Matthias _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
