Ben,
You may see from my recent posts on a few of these individual bugs that at least some of these incidents in my opinion aren’t ready to close. There has been and continues to be a problem with CAs failing to recognize that BR-mandated revocation deadlines are not theirs to take or leave, and we still have CAs, sometimes nearly a year later, who have not acknowledged this fact nor taken steps to fix their errors. I appreciate your response to one of my recent posts in which you say that a hard commitment to never delay revocation is too much. Though I do not agree, I understand your viewpoint and am taking your guidance. That said, my recollection is that some of these CAs have simply never publicly accepted any culpability nor made an earnest show of changing their priorities. I put it to you that a CA who refuses to accept responsibility for its free choice to ignore the BRs and has no expressed intention to change its decision making has not remediated the problem. I believe such a bug should remain open until the message sinks in. If you concur on this last point, then I request you leave these bugs open just a little longer so the community has a chance to review them and weigh in on which are ready to close and which are not. I don’t imagine this requires a great deal of time, but I don’t see it getting done by tomorrow either. Cheers, -tlc On Sunday, February 2, 2025 at 2:25:39 PM UTC-5 Ben Wilson wrote: > All, > > I am considering closing the following delayed revocation Bugzilla > incidents later this week (Friday, 7-Feb-2025), as listed in meta Bug > 1911183 <https://bugzilla.mozilla.org/show_bug.cgi?id=1911183>: > > 1872738 <https://bugzilla.mozilla.org/show_bug.cgi?id=1872738>, 1877388 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1877388>, 1884568 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1884568>, 1885568 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1885568>, 1886110 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1886110>, 1886532 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1886532>, 1886665 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1886665>, 1887110 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1887110>, 1887888 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1887888>, 1888882 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1888882>, 1889062 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1889062>, 1890685 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1890685>, 1891331 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1891331>, 1892419 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1892419>, 1896053 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1896053>, 1896553 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1896553>, 1898848 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1898848>, 1903066 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1903066>, 1910805 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1910805>, 1916478 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1916478>, and 1924385 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1924385>, > > *provided that the CA operator has completed its stated Action Items and > filed a Closure Summary*. > > My reasoning is as follows: > > I kept these bugs open while we navigated towards a solution for handling > delayed revocations going forward. I believe that the new language in > Mozilla Root Store Policy (MRSP) 3.0, effective March 1, 2025, introduces > significant measures to improve compliance with revocation requirements and > enhance delayed revocation incident reporting. > > Under MRSP section 6.1.3, CA operators will be explicitly required to > engage in proactive subscriber communication, more specific contractual > provisions, and mass revocation preparedness to ensure timely certificate > revocation. Additionally, CAs must undergo third-party assessments to > validate their readiness for large-scale revocations and that they have > documented the outcomes of the testing of their mass revocation plans. > > MRSP section 2.4 incorporates the updated incident reporting requirements > of the CCADB, and mandates that CAs provide detailed and substantiated > justifications in incident reports, explaining delays and impacts on third > parties. It notes that Mozilla does not have any exceptions for delayed > revocation, and that repeated unjustified delays will result in heightened > scrutiny and potential removal from the Mozilla Root Store. > > Also, MRSP section 7.1 will require that new TLS-issuing root certificates > have at least the ability for automated domain control validation, > certificate issuance, and retrieval. This ensures that certificate > management processes are efficient, scalable, and less prone to human > error, aligning with modern security best practices. > > CAs and stakeholders should recognize these changes only as first, yet > important, steps in addressing delayed revocation and reporting. > > Thoughts? > > Thanks, > > Ben > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/16701b3c-e0f1-4bfe-9123-79d2273cc4b9n%40mozilla.org.
