Ah! I complected some subthreads beyond my ability to keep straight. Pretend I replied to Aaron or Roman about treating CPS errors as less urgent-to-remedy than other directly-expressed-in-the-certificate errors, if you would be so kind.
Mike On Wed, Jun 18, 2025 at 9:11 PM Jeremy Rowley <[email protected]> wrote: > Okay but I'm not proposing a change in CPS-error revocation policy. I am > proposing a change in the way CPS docs are generated. I'd like them all to > move to github and be pulled directly from the CA systems, turning them > into a technical document instead something human created (and mostly > filled with - IMO - less useful information). For example, does anyone read > Section 9? What good is that? I have no concerns with revoking for CPS > errors but I think the current way CPS docs are done is error prone and too > human-dependant. > > On Wed, Jun 18, 2025 at 7:07 PM Mike Shaver <[email protected]> wrote: > >> Thanks for this–I genuinely appreciate the effort–but I think it's not >> quite the right analysis. >> >> For evaluating the impact of a change to CPS-error revocation policy, we >> want to consider the set of some CPS-related misissuances that were *not* >> also BR issues. (And separately were not so serious that they would still >> require revocation after such a loosening, but I don't exactly know where >> that line is proposed to be drawn.) >> >> A little birdie tells me that analysis of such incidents over the last >> three years will reveal a total under 50,000 for the number of certificates >> that have been revoked due to a CPS-breaking-but-not-BR-breaking >> misissuance. (Prior to Microsoft's misissuance, of course, but that >> wouldn't have been an issue if it had happened after Microsoft completed >> the CRL sharding deployment because of very wide adoption of automation by >> Microsoft's subscriber base [also Microsoft, fair enough].) >> >> I have not seen and certainly not performed the analysis in question, but >> I'm willing to trust it nonetheless. >> >> Mike >> >> On Mon, Jun 16, 2025 at 8:00 PM Jeremy Rowley <[email protected]> >> wrote: >> >>> Good question. I went through the last year of bugs and found the ones >>> listed below. Determining what is a CPS violation vs. a BR violation is >>> difficult because so many BR violations are also a CPS violation (as a lot >>> of CPS documents mirror the BRs). I split it up between profile errors (at >>> the bottom) and CPS related issues (at the top), both of which would be >>> solved by automated CPS generation and a shift to treat the CPS document as >>> a technical disclosure instead of a contract. >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list >>> the full revocation reasons in its CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about >>> T&Cs but since the T&Cs generally incorporate the CPS I thought I'd count >>> it? >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the CPS >>> and the BRs >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting info >>> in the CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on >>> T&Cs (which would incorporate the CPS) >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity >>> issues >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS >>> unavailability >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not >>> working >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy document >>> mis-paste >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not >>> compliant with CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in >>> violation of CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not >>> published in time. This violated the BRs but would also violate the CPS if >>> such items were actually dictated by the CPS instead of just the BRs. >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not >>> accepting attachments >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated >>> the ETSI requirement but not the BRs I think? Which would make it a CPS >>> violation. >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to update >>> CPS docs (note that the proposal would help remediate this by requiring >>> automatic updates to CPS docs as things change). >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of CPS >>> on OCSP responses >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of CAA >>> checking >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of >>> onboarding SOP >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP >>> provided >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity >>> not permitted in CPS >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure >>> issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR >>> address >>> >>> >>> I'm listing the profiles issues as well as the proposal would address >>> this issue, or at least make these issues more readily identifiable. If CAs >>> are required to provide the profile directly from the CA, the profile can >>> easily be compared to the BRs and issues identified. Right now the profile >>> may not match the CPS so the CPS will be compliant but the profile will not >>> match the requirements. >>> Profiles mismatch: >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert >>> policies >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in >>> certs >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format >>> issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect >>> encoding >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies >>> extension issue >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate >>> attribute >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect profile >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities >>> listed >>> >>> >>> On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <[email protected]> >>> wrote: >>> >>>> On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <[email protected]> >>>> wrote: >>>> >>>>> Given the number of bugs related to CPS errors, >>>>> >>>> >>>> Perhaps you’re in a position to answer this question: how many bugs >>>> *have* there been in the last few years related to CPS errors, and how many >>>> certs have been subject to revocation for that reason, pre-Microsoft? >>>> >>>> Mike >>>> >>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqtpCFyG2coSZM-vWnL61%2BdFo2jyEsvbYuTp-fZXATPLWQ%40mail.gmail.com.
