On Fri, Jan 10, 2025 at 07:08:07AM +0000, Roman Fischer wrote: > Dear Matt, > > >In general, anything that does not get exercised regularly tends to > >atrophy, and so when it turns out to be needed, it does not perform > >as well as would be hoped. > > I agree. However, as far as I remember at least the delayed > revocations in the past 1-2 years were not due to CAs incapability to > do mass-revocation but due to CAs believing that weighing customer's > claims of negative effects of revocation against complying to the > mandatory revocation times was acceptable
While that has been the cause of a few of the more high-profile mass-revocation incidents, there are plenty of others that have different causes. > >That's why I support random revocation requirements for *all* CAs -- > >because it is practically axiomatic that all CAs' systems will be > >less-than-perfect, with problems that have lain dormant, and are only > >identified by real-world, end-to-end testing. And that's even before > >we start considering the subscriber-level problems out there... > > If testing CAs mass-revocation process is the goal, then we could just > put a requirement in the BRs. The word "just" is doing quite a bit of work in that sentence. In any event, as the word "Baseline" in the name "Baseline Requirements" implies, the existence of the BRs does not preclude Mozilla from imposing additional requirements on its program participants. > Auditors would then check if CAs did mass-revocation tests. You have an extremely optimistic opinion of the effectiveness of auditors to prevent incidents, one which is not borne out by history. > Such tests don't have to be done on productive > public trusted certificates to prove that the process works. 😊 On the contrary, they *do* have to be done on productive public trusted certificates, because otherwise you're not doing a full end-to-end test of the process as used by real revocation requests. And I can tell you, categorically, with receipts[1], that real world third-party end-to-end testing of such processes finds real problems. - Matt [1] https://bugzilla.mozilla.org/buglist.cgi?email1=Palmer&emailreporter1=1&resolution=FIXED&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&order=Importance&bug_status=RESOLVED&component=CA%20Certificate%20Compliance&product=CA%20Program&query_format=advanced&emailtype1=substring -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/beb9bab8-71e4-4bab-8a40-0cbeab5b5af8%40mtasv.net.
