Good question. I went through the last year of bugs and found the ones listed below. Determining what is a CPS violation vs. a BR violation is difficult because so many BR violations are also a CPS violation (as a lot of CPS documents mirror the BRs). I split it up between profile errors (at the bottom) and CPS related issues (at the top), both of which would be solved by automated CPS generation and a shift to treat the CPS document as a technical disclosure instead of a contract.
https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list the full revocation reasons in its CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about T&Cs but since the T&Cs generally incorporate the CPS I thought I'd count it? https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the CPS and the BRs https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting info in the CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on T&Cs (which would incorporate the CPS) https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity issues https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS unavailability https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not working https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy document mis-paste https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not compliant with CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in violation of CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not published in time. This violated the BRs but would also violate the CPS if such items were actually dictated by the CPS instead of just the BRs. https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not accepting attachments https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated the ETSI requirement but not the BRs I think? Which would make it a CPS violation. https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to update CPS docs (note that the proposal would help remediate this by requiring automatic updates to CPS docs as things change). https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of CPS on OCSP responses https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of CAA checking https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of onboarding SOP https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP provided https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity not permitted in CPS https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure issue https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR address I'm listing the profiles issues as well as the proposal would address this issue, or at least make these issues more readily identifiable. If CAs are required to provide the profile directly from the CA, the profile can easily be compared to the BRs and issues identified. Right now the profile may not match the CPS so the CPS will be compliant but the profile will not match the requirements. Profiles mismatch: https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert policies https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in certs https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format issue https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect encoding https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies extension issue https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate attribute https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect profile https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities listed On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <[email protected]> wrote: > On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <[email protected]> > wrote: > >> Given the number of bugs related to CPS errors, >> > > Perhaps you’re in a position to answer this question: how many bugs *have* > there been in the last few years related to CPS errors, and how many certs > have been subject to revocation for that reason, pre-Microsoft? > > Mike > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS86PO9KijCJSMPhDFg%3D%3DYXzdDWLjNT-mamgxS4QYVOPwg%40mail.gmail.com.
