Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Super-rough first notes
{{draft}}
* Were you aware of this issue before it was reported
* Scanning your corpus of certs for others with the same issue
* What processes should have prevented this, if any? Why did they fail?
* What steps are you taking to make sure it doesn't happen again?
Take any issuing CA affected offline immediately
Post any updates as new threads, with a comment in the old thread referencing it. (Explain why)
= Examples of Good Practice =
== Let's Encrypt Unicode Normalization Compliance Incident ==
* [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/g6_zGA2exXw Initial Public Problem Report], 2017-08-10 20:23 UTC (apparently LE were made aware of the problem privately earlier that day)
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/_tXldrbIBwAJ Initial Public Response from CA], 2017-08-10 21:53 UTC
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJY Final Report from CA], 2017-08-11 03:00 UTC
In this case, the CA managed to diagnose, remediate and deploy the fix to production within 24 hours.
== PKIOverheid Short Serial Number Incident ==
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ Initial Public Problem Report], 2017-07-18 22:26 UTC
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/TzH5eI9dAQAJ Initial Public Response from CA], 2017-07-25 19:20 UTC
* [https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ Final Report from CA], 2017-08-11 14:39 UTC
While the CA could have provided interim updates, and the final report was a little delayed, the contents of it were excellent.
* Were you aware of this issue before it was reported
* Scanning your corpus of certs for others with the same issue
* What processes should have prevented this, if any? Why did they fail?
* What steps are you taking to make sure it doesn't happen again?
Take any issuing CA affected offline immediately
Post any updates as new threads, with a comment in the old thread referencing it. (Explain why)
= Examples of Good Practice =
== Let's Encrypt Unicode Normalization Compliance Incident ==
* [https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/g6_zGA2exXw Initial Public Problem Report], 2017-08-10 20:23 UTC (apparently LE were made aware of the problem privately earlier that day)
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/g6_zGA2exXw/_tXldrbIBwAJ Initial Public Response from CA], 2017-08-10 21:53 UTC
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/nMxaxhYb_iY/AmjCI3_ZBwAJY Final Report from CA], 2017-08-11 03:00 UTC
In this case, the CA managed to diagnose, remediate and deploy the fix to production within 24 hours.
== PKIOverheid Short Serial Number Incident ==
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/uD-Li1w1BgAJ Initial Public Problem Report], 2017-07-18 22:26 UTC
* [https://groups.google.com/d/msg/mozilla.dev.security.policy/vl5eq0PoJxY/TzH5eI9dAQAJ Initial Public Response from CA], 2017-07-25 19:20 UTC
* [https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/vl5eq0PoJxY/W1D4oZ__BwAJ Final Report from CA], 2017-08-11 14:39 UTC
While the CA could have provided interim updates, and the final report was a little delayed, the contents of it were excellent.
