Thanks for this–I genuinely appreciate the effort–but I think it's not quite the right analysis.
For evaluating the impact of a change to CPS-error revocation policy, we want to consider the set of some CPS-related misissuances that were *not* also BR issues. (And separately were not so serious that they would still require revocation after such a loosening, but I don't exactly know where that line is proposed to be drawn.) A little birdie tells me that analysis of such incidents over the last three years will reveal a total under 50,000 for the number of certificates that have been revoked due to a CPS-breaking-but-not-BR-breaking misissuance. (Prior to Microsoft's misissuance, of course, but that wouldn't have been an issue if it had happened after Microsoft completed the CRL sharding deployment because of very wide adoption of automation by Microsoft's subscriber base [also Microsoft, fair enough].) I have not seen and certainly not performed the analysis in question, but I'm willing to trust it nonetheless. Mike On Mon, Jun 16, 2025 at 8:00 PM Jeremy Rowley <[email protected]> wrote: > Good question. I went through the last year of bugs and found the ones > listed below. Determining what is a CPS violation vs. a BR violation is > difficult because so many BR violations are also a CPS violation (as a lot > of CPS documents mirror the BRs). I split it up between profile errors (at > the bottom) and CPS related issues (at the top), both of which would be > solved by automated CPS generation and a shift to treat the CPS document as > a technical disclosure instead of a contract. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list the > full revocation reasons in its CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about T&Cs > but since the T&Cs generally incorporate the CPS I thought I'd count it? > https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the CPS > and the BRs > https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting info > in the CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on > T&Cs (which would incorporate the CPS) > https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity issues > https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS unavailability > https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not > working > https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy document > mis-paste > https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not > compliant with CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in > violation of CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not published > in time. This violated the BRs but would also violate the CPS if such items > were actually dictated by the CPS instead of just the BRs. > https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not > accepting attachments > https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated the > ETSI requirement but not the BRs I think? Which would make it a CPS > violation. > https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to update > CPS docs (note that the proposal would help remediate this by requiring > automatic updates to CPS docs as things change). > https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of CPS > on OCSP responses > https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of CAA > checking > https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of > onboarding SOP > https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP > provided > https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN > https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity > not permitted in CPS > https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure > issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR > address > > > I'm listing the profiles issues as well as the proposal would address this > issue, or at least make these issues more readily identifiable. If CAs are > required to provide the profile directly from the CA, the profile can > easily be compared to the BRs and issues identified. Right now the profile > may not match the CPS so the CPS will be compliant but the profile will not > match the requirements. > Profiles mismatch: > https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct > https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert > policies > https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA > https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in certs > https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format > issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect encoding > https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies > extension issue > https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate attribute > https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect profile > https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP > https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities listed > > > On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <[email protected]> wrote: > >> On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <[email protected]> >> wrote: >> >>> Given the number of bugs related to CPS errors, >>> >> >> Perhaps you’re in a position to answer this question: how many bugs >> *have* there been in the last few years related to CPS errors, and how many >> certs have been subject to revocation for that reason, pre-Microsoft? >> >> Mike >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqu6o0%3Du3zx%3DwxVjiXfQiog3Ar9rY8HG9HiSuFzZED5B9g%40mail.gmail.com.
