Sounds good. The 50k number sounds about right based on those bugs too. Most CPS errors do not require revocation as they are issues in policy instead of cert profiles. Just anecdotally, I think most of the CPS bugs related to missed timelines, largely around CRL and OCSP availability. The ones I saw that required revocation were all profile or CAA violations.
On Wed, Jun 18, 2025 at 7:13 PM Mike Shaver <[email protected]> wrote: > Ah! I complected some subthreads beyond my ability to keep straight. > > Pretend I replied to Aaron or Roman about treating CPS errors as less > urgent-to-remedy than other directly-expressed-in-the-certificate errors, > if you would be so kind. > > Mike > > On Wed, Jun 18, 2025 at 9:11 PM Jeremy Rowley <[email protected]> wrote: > >> Okay but I'm not proposing a change in CPS-error revocation policy. I am >> proposing a change in the way CPS docs are generated. I'd like them all to >> move to github and be pulled directly from the CA systems, turning them >> into a technical document instead something human created (and mostly >> filled with - IMO - less useful information). For example, does anyone read >> Section 9? What good is that? I have no concerns with revoking for CPS >> errors but I think the current way CPS docs are done is error prone and too >> human-dependant. >> >> On Wed, Jun 18, 2025 at 7:07 PM Mike Shaver <[email protected]> >> wrote: >> >>> Thanks for this–I genuinely appreciate the effort–but I think it's not >>> quite the right analysis. >>> >>> For evaluating the impact of a change to CPS-error revocation policy, we >>> want to consider the set of some CPS-related misissuances that were *not* >>> also BR issues. (And separately were not so serious that they would still >>> require revocation after such a loosening, but I don't exactly know where >>> that line is proposed to be drawn.) >>> >>> A little birdie tells me that analysis of such incidents over the last >>> three years will reveal a total under 50,000 for the number of certificates >>> that have been revoked due to a CPS-breaking-but-not-BR-breaking >>> misissuance. (Prior to Microsoft's misissuance, of course, but that >>> wouldn't have been an issue if it had happened after Microsoft completed >>> the CRL sharding deployment because of very wide adoption of automation by >>> Microsoft's subscriber base [also Microsoft, fair enough].) >>> >>> I have not seen and certainly not performed the analysis in question, >>> but I'm willing to trust it nonetheless. >>> >>> Mike >>> >>> On Mon, Jun 16, 2025 at 8:00 PM Jeremy Rowley <[email protected]> >>> wrote: >>> >>>> Good question. I went through the last year of bugs and found the ones >>>> listed below. Determining what is a CPS violation vs. a BR violation is >>>> difficult because so many BR violations are also a CPS violation (as a lot >>>> of CPS documents mirror the BRs). I split it up between profile errors (at >>>> the bottom) and CPS related issues (at the top), both of which would be >>>> solved by automated CPS generation and a shift to treat the CPS document as >>>> a technical disclosure instead of a contract. >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1970567 - Failed to list >>>> the full revocation reasons in its CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1969842 - This is about >>>> T&Cs but since the T&Cs generally incorporate the CPS I thought I'd count >>>> it? >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1969036 - violates the >>>> CPS and the BRs >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965808 - Conflicting >>>> info in the CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965806 - Missing OID on >>>> T&Cs (which would incorporate the CPS) >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965804 - CPS clarity >>>> issues >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963778 - CPS >>>> unavailability >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963629 - CPR in CPS not >>>> working >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1962829 - policy >>>> document mis-paste >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1962830 - Cert change not >>>> compliant with CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1955365 - Reused keys in >>>> violation of CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1954580 - OCSP not >>>> published in time. This violated the BRs but would also violate the CPS if >>>> such items were actually dictated by the CPS instead of just the BRs. >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1948600 - outdated CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 - CPR in CPS not >>>> accepting attachments >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1938236 - CAA issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1939809 - This violated >>>> the ETSI requirement but not the BRs I think? Which would make it a CPS >>>> violation. >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1935393 - Failed to >>>> update CPS docs (note that the proposal would help remediate this by >>>> requiring automatic updates to CPS docs as things change). >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1933353 - violation of >>>> CPS on OCSP responses >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1932973 - violation of >>>> CAA checking >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1931413 - violation of >>>> onboarding SOP >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1925106 - incorrect CP >>>> provided >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921573 - CPS issue on DN >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1918380 - Business entity >>>> not permitted in CPS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1914911 - CAA disclosure >>>> issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1904749 - CAA record issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1904257 - Incorrect CPR >>>> address >>>> >>>> >>>> I'm listing the profiles issues as well as the proposal would address >>>> this issue, or at least make these issues more readily identifiable. If CAs >>>> are required to provide the profile directly from the CA, the profile can >>>> easily be compared to the BRs and issues identified. Right now the profile >>>> may not match the CPS so the CPS will be compliant but the profile will not >>>> match the requirements. >>>> Profiles mismatch: >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1965459 - AIA not correct >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963663 - Multiple cert >>>> policies >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1963456 - HTTPS in AIA >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1952591 - SCT issue in >>>> certs >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1946921 - DV cert format >>>> issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1936908 - Incorrect >>>> encoding >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1922906 - :LDAP URI issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921598 - Cert Policies >>>> extension issue >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1921254 - Duplicate >>>> attribute >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1919162 - incorrect >>>> profile >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1916489 - LDAP in CRLDP >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1916392 - 2 Localities >>>> listed >>>> >>>> >>>> On Sun, Jun 15, 2025 at 7:36 AM Mike Shaver <[email protected]> >>>> wrote: >>>> >>>>> On Sun, Jun 15, 2025 at 12:13 AM Jeremy Rowley <[email protected]> >>>>> wrote: >>>>> >>>>>> Given the number of bugs related to CPS errors, >>>>>> >>>>> >>>>> Perhaps you’re in a position to answer this question: how many bugs >>>>> *have* there been in the last few years related to CPS errors, and how >>>>> many >>>>> certs have been subject to revocation for that reason, pre-Microsoft? >>>>> >>>>> Mike >>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS-SEhESjYXdTA_CYLYsyBbi5oHXhsrMkkKOk6XR_jcp8w%40mail.gmail.com.
