Proposed change to CA contact policy

The CCADB stores a couple of different types of "contact" records:

* Primary POC (1 or more): someone who is "authorized to speak for and
to bind the CA that they represent."
* POC (0 or more): Another contact at that CA.
* Email Alias (1 or 2): defined as "more likely to continue working as
personnel change".

All are per-organization values, and I don't believe any of them are
published. However, this then leads to a question about which contacts
should be used in what circumstances.

The Common CCADB Policy says:

"Notification of security and audit-related issues will be emailed to
all POCs and the email aliases; CAs are advised to supply sufficient
POCs that will enable them to respond to an issue promptly."

This is a bit of an administrative pain.

The proposal is to change things to put the burden of ensuring the
appropriate distribution of messages on to the CA. In future, we would
just email the first email alias; CAs are responsible for making sure
that value is a mailing list which goes to all appropriate parties or
systems necessary to provide a timely response.

Any objections?

Gerv
0
Gervase
10/9/2017 10:41:15 AM
mozilla.dev.security.policy 1213 articles. 1 followers. Post Follow

5 Replies
33 Views

Similar Articles

[PageSpeed] 42

On Monday, 9 October 2017 12:41:53 UTC+2, Gervase Markham  wrote:
> The CCADB stores a couple of different types of "contact" records:
> 
> * Primary POC (1 or more): someone who is "authorized to speak for and
> to bind the CA that they represent."
> * POC (0 or more): Another contact at that CA.
> * Email Alias (1 or 2): defined as "more likely to continue working as
> personnel change".
> 
> All are per-organization values, and I don't believe any of them are
> published. However, this then leads to a question about which contacts
> should be used in what circumstances.
> 
> The Common CCADB Policy says:
> 
> "Notification of security and audit-related issues will be emailed to
> all POCs and the email aliases; CAs are advised to supply sufficient
> POCs that will enable them to respond to an issue promptly."
> 
> This is a bit of an administrative pain.
> 
> The proposal is to change things to put the burden of ensuring the
> appropriate distribution of messages on to the CA. In future, we would
> just email the first email alias; CAs are responsible for making sure
> that value is a mailing list which goes to all appropriate parties or
> systems necessary to provide a timely response.
> 
> Any objections?
> 
> Gerv


May I suggest also changing the labels in such a way that there can be zero, zilch, nada doubt which E-Mail adres field is the all important one that they will have to get right? ;-)

CU Hans
0
okaphone
10/9/2017 12:26:22 PM
On Monday, 9 October 2017 11:41:53 UTC+1, Gervase Markham  wrote:
> Any objections?

One nice thing about the current situation is that CAs are permitted (thoug=
h not obliged) to arrange robustness against technical failure.

If the only official way to contact Honest Achmed's CA is to email achmed@h=
onestca.example, and then whoops, honestca.example have a SMTP server outag=
e or they get blacklisted by the email provider we use unknown to us, or a =
million other things happen, we can't contact Achmed at all.

Right now, if Achmed is worried about that he can list achmed@gmail.com, an=
d osman@hotmail.com (Achmed's cousin Osman still uses Hotmail in 2017) and =
so on, and Mozilla has a better chance to actually reach somebody. Yes it's=
 more hassle, but handling _that_ part is surely something Mozilla could wo=
rry about?
0
Nick
10/9/2017 3:33:28 PM
On Monday, October 9, 2017 at 8:33:39 AM UTC-7, Nick Lamb wrote:

> One nice thing about the current situation is that CAs are permitted (tho=
ugh not obliged) to arrange robustness against technical failure.
>=20
> If the only official way to contact Honest Achmed's CA is to email achmed=
@honestca.example, and then whoops, honestca.example have a SMTP server out=
age or they get blacklisted by the email provider we use unknown to us, or =
a million other things happen, we can't contact Achmed at all.
>=20
> Right now, if Achmed is worried about that he can list achmed@gmail.com, =
and osman@hotmail.com (Achmed's cousin Osman still uses Hotmail in 2017) an=
d so on, and Mozilla has a better chance to actually reach somebody. Yes it=
's more hassle, but handling _that_ part is surely something Mozilla could =
worry about?

Echoing Mr. Lamb's concern, I would think that defining two "important noti=
ce role/mailing list recipient addresses" and always sending important noti=
ces to both.  This would allow for a mailing list on CA internal infrastruc=
ture as well as one on external infrastructure.
0
Matthew
10/9/2017 5:04:22 PM
On 09/10/17 18:04, Matthew Hardeman wrote:
> Echoing Mr. Lamb's concern, I would think that defining two
> "important notice role/mailing list recipient addresses" and always
> sending important notices to both.  This would allow for a mailing
> list on CA internal infrastructure as well as one on external
> infrastructure.

Kathleen now says she would prefer to email the Primary POCs and CC the
email aliases. Handily, this allows for what you suggest. So consider
the proposal changed to that.

Gerv

0
Gervase
10/11/2017 10:50:59 AM
On 11/10/17 11:50, Gervase Markham wrote:
> Kathleen now says she would prefer to email the Primary POCs and CC the
> email aliases. Handily, this allows for what you suggest. So consider
> the proposal changed to that.

Or rather, email the primary POCs and CC the first email alias.

Gerv
0
Gervase
10/16/2017 10:38:08 AM
Reply: