Re: Proposed whiteboard tag for non-incident "bugs"

2024-05-23 Thread 'Ben Wilson' via CCADB Public 
Hi Clint and Rob,
This is relatively easy to implement, and we can start immediately by just
adding [ca-infosharing] in the whiteboard. I've added it to the Mozilla CA
Program wiki - https://wiki.mozilla.org/CA/Bug_Triage#Whiteboard_Tags ("For
non-incident "lessons learned" and other descriptions of comprehensive
steps a CA might take when addressing compliance, or cascading incidents,
or to share its compliance-related experiences for the benefit of the
ecosystem"), and I'll get this added somewhere on the CCADB website.
Thanks,
Ben

On Wed, May 22, 2024 at 4:18 PM 'Clint Wilson' via CCADB Public <
public@ccadb.org> wrote:

> Hi Rob,
>
> This incident is a valuable example for the ecosystem of the steps that
> may be necessary for a CA to take when approaching compliance and incidents
> comprehensively, especially when incidents spiral or cascade into the
> discovery of more underlying or systemic issues than at first appearance. I
> would absolutely encourage other CAs to share (and continue sharing)
> similar information, as we see SSL.com working on with their reseller
> interactions or when Amazon provided a presentation at a recent CA/B Forum
> F2F. Even if the events from which CAs learned a great deal or which
> heavily impacted their ability to successfully comply with industry
> expectations and requirements are in the distant past, such retrospective
> analyses can be incredibly valuable no matter their timing.
>
> I similarly support disclosing such "lessons learned" in Bugzilla and
> having a tag dedicated thereto seems appropriate -- especially if this
> becomes more common for CAs to do. Alternatively, if Mozilla would prefer
> organizing these in some other way, I'm not opposed; the goal here is
> discoverability and there are likely any number of ways to succeed in that
> goal.
>
> Cheers!
> -Clint
>
> On Wednesday, May 22, 2024 at 12:25:12 PM UTC-7 Rob Stradling wrote:
>
>> A few years ago, Sectigo created
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share
>> information about our "Guard Rails" project.  Quoting that bug:
>> *“Guard Rails” is a convenient name for a series of programmatic checks
>> we are putting in place to confirm certificate orders for compliance with
>> specific requirements before issuance can occur. Guard Rails are like
>> Certificate Lints, except that they may be stricter than what CA/B Forum
>> and root program policies require. By defining and adding these checks, we
>> can eliminate potential sources of misissuance and achieve higher overall
>> issuance quality. This initiative is borne in part from the understanding
>> that human-based processes are fundamentally error prone, and to the degree
>> we can implement defined machine processes, our error rate will go down.*
>>
>>
>> We took steps  
>> (comment
>> #1) to avoid this bug being seen as an "incident" bug:
>> *Since this bug is intended to be a repository for information and
>> discussion rather than a response to any particular CA Compliance incident,
>> I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not
>> putting [ca-compliance] in the Whiteboard field. We chose to deviate from
>> the ": " bug title format for the same reason.*
>>
>> However, at some point since then somebody decided to add the
>> "[ca-compliance]" whiteboard tag, which seems problematic to us.
>>
>> In order to clearly identify this type of information sharing "bug", and
>> even to encourage other CAs to consider doing likewise, we would like to
>> propose a new whiteboard tag:
>>
>> [ca-infosharing]
>>
>> --
>> Rob Stradling
>> Distinguished Engineer
>> Sectigo Limited
>>
>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "CCADB Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to public+unsubscr...@ccadb.org.
> To view this discussion on the web visit
> https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to public+unsubscr...@ccadb.org.
To view this discussion on the web visit 
https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaaQiU_MJE_vhBPtwTeHtDO%2BgzydOfukHd%2B1pfAhF7J5Gg%40mail.gmail.com.

Re: Proposed whiteboard tag for non-incident "bugs"

2024-05-22 Thread 'Clint Wilson' via CCADB Public 
Hi Rob,

This incident is a valuable example for the ecosystem of the steps that may 
be necessary for a CA to take when approaching compliance and incidents 
comprehensively, especially when incidents spiral or cascade into the 
discovery of more underlying or systemic issues than at first appearance. I 
would absolutely encourage other CAs to share (and continue sharing) 
similar information, as we see SSL.com working on with their reseller 
interactions or when Amazon provided a presentation at a recent CA/B Forum 
F2F. Even if the events from which CAs learned a great deal or which 
heavily impacted their ability to successfully comply with industry 
expectations and requirements are in the distant past, such retrospective 
analyses can be incredibly valuable no matter their timing.

I similarly support disclosing such "lessons learned" in Bugzilla and 
having a tag dedicated thereto seems appropriate -- especially if this 
becomes more common for CAs to do. Alternatively, if Mozilla would prefer 
organizing these in some other way, I'm not opposed; the goal here is 
discoverability and there are likely any number of ways to succeed in that 
goal.

Cheers!
-Clint

On Wednesday, May 22, 2024 at 12:25:12 PM UTC-7 Rob Stradling wrote:

> A few years ago, Sectigo created 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share 
> information about our "Guard Rails" project.  Quoting that bug:
> *“Guard Rails” is a convenient name for a series of programmatic checks we 
> are putting in place to confirm certificate orders for compliance with 
> specific requirements before issuance can occur. Guard Rails are like 
> Certificate Lints, except that they may be stricter than what CA/B Forum 
> and root program policies require. By defining and adding these checks, we 
> can eliminate potential sources of misissuance and achieve higher overall 
> issuance quality. This initiative is borne in part from the understanding 
> that human-based processes are fundamentally error prone, and to the degree 
> we can implement defined machine processes, our error rate will go down.* 
>
> We took steps  
> (comment 
> #1) to avoid this bug being seen as an "incident" bug:
> *Since this bug is intended to be a repository for information and 
> discussion rather than a response to any particular CA Compliance incident, 
> I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not 
> putting [ca-compliance] in the Whiteboard field. We chose to deviate from 
> the ": " bug title format for the same reason.*
>
> However, at some point since then somebody decided to add the 
> "[ca-compliance]" whiteboard tag, which seems problematic to us.
>
> In order to clearly identify this type of information sharing "bug", and 
> even to encourage other CAs to consider doing likewise, we would like to 
> propose a new whiteboard tag:
>
> [ca-infosharing]
>
> --
> Rob Stradling
> Distinguished Engineer
> Sectigo Limited
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to public+unsubscr...@ccadb.org.
To view this discussion on the web visit 
https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org.

Proposed whiteboard tag for non-incident "bugs"

2024-05-22 Thread 'Rob Stradling' via CCADB Public 
A few years ago, Sectigo created 
https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share 
information about our "Guard Rails" project.  Quoting that bug:
“Guard Rails” is a convenient name for a series of programmatic checks we are 
putting in place to confirm certificate orders for compliance with specific 
requirements before issuance can occur. Guard Rails are like Certificate Lints, 
except that they may be stricter than what CA/B Forum and root program policies 
require. By defining and adding these checks, we can eliminate potential 
sources of misissuance and achieve higher overall issuance quality. This 
initiative is borne in part from the understanding that human-based processes 
are fundamentally error prone, and to the degree we can implement defined 
machine processes, our error rate will go down.

We took steps (comment 
#1) to avoid this bug being seen as an "incident" bug:
Since this bug is intended to be a repository for information and discussion 
rather than a response to any particular CA Compliance incident, I'm 
immediately marking it as RESOLVED INCOMPLETE and deliberately not putting 
[ca-compliance] in the Whiteboard field. We chose to deviate from the ": " bug title format for the same reason.

However, at some point since then somebody decided to add the "[ca-compliance]" 
whiteboard tag, which seems problematic to us.

In order to clearly identify this type of information sharing "bug", and even 
to encourage other CAs to consider doing likewise, we would like to propose a 
new whiteboard tag:

[ca-infosharing]

--
Rob Stradling
Distinguished Engineer
Sectigo Limited



-- 
You received this message because you are subscribed to the Google Groups 
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to public+unsubscr...@ccadb.org.
To view this discussion on the web visit 
https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB4729E53C500ECA288F150B81AAEB2%40MW4PR17MB4729.namprd17.prod.outlook.com.