Changes

Jump to: navigation, search

CA/Responding To An Incident

10 bytes removed, 23:36, 15 April 2019
Revocation: Responding to Ryan Sleevi's feedback on MDSP
This means that, in most cases of misissuance, the CA has an obligation under the BRs to revoke the certificates concerned within 5 days.
Mozilla recognizes that in some '''exceptional ''' circumstances, revoking misissued certificates within the prescribed deadline may cause significant harm, such as when the certificate is used in critical infrastructure and cannot be safely replaced prior to the revocation deadline, or when the volume of revocations in a defect affects short period of time would result in a massive number of Subscribers and certificateslarge cumulative impact to the web. However, Mozilla does not grant exceptions to the BR revocation requirements. It is our position that your CA is ultimately responsible for deciding if the harm caused by following the requirements of BR section 4.9.1 outweighs the risks that are passed on to individuals who rely on the web PKI by choosing not to meet this requirement.
If your CA will not be revoking the certificates within the time period required by the BRs, our expectations are that:
* The decision and rationale for delaying revocation will be disclosed to Mozilla in the form of a preliminary incident report immediately; preferably before the BR mandated revocation deadline. The rationale must include an explanation for why the situation is exceptional. Responses similar to “we deem this misissuance not to be a security risk” are generally not acceptable, and must be discussed on the mozilla.dev.security.policy list. When revocation is delayed at the request of specific Subscribers, the rationale should must be provided on a per-Subscriber basis.* Any decision to not comply with the timeline specified in the Baseline Requirements must also be accompanied by a clear timeline describing if and when the problematic certificates will be revoked or expire naturally, and supported by the rationale to delay revocation.
* The issue will need to be listed as a finding in your CA’s next BR audit statement.
* Your CA will work with your auditor (and supervisory body, as appropriate) and the Root Store(s) that your CA participates in to ensure your analysis of the risk and plan of remediation is acceptable.
136
edits

Navigation menu