Captain Foo posted:

honestly seems a lot easier than figuring out, say, Oracle v Goog

Shumagorath posted:

the correct decision there was to walk both Larrys into the volcano

Bruce Morton posted:

(In reply to Wayne from comment #13)

Wayne posted:

In regards to Entrust's CCADB Entry the Problem Reporting Mechanism field shows a misalignment with their CPS and outdated information.
- Problem Reporting Mechanism
- ecs[dot]support[at]entrustdatacard[dot]com
- abuse[at]affirmtrust[dot]com
- https://www.entrust.net/ev/misuse.cfm
- https://www.affirmtrust.com/ssl/
Q1) Entrust's CPS 3.20 notes an email address of the domain entrust.com instead of entrustdatacard.com, so for consistency would it be better to update that record?

Per the Baseline Requirements, CPS section 1.5.2 is where the CA must provide the method to submit a certificate problem report. We also need to provide this information to the CCADB and apologize as this is out of date. We have opened a case in CCADB to update the information.

Please note that we have migrated away from @entrustdatacard,com, so email addresses ending with @entrust.com are correct.

Wayne posted:

Q2) The misuse form was last active in 2019, according to the wayback machine, would this be better off removed?

We have removed with our CCADB case.

Wayne posted:

Q3) The Affirmtrust link points at generic ssl sales page with an abuse email address already noted above, is it useful at all?

Agreed, not useful. The address will be removed with the CCADB case.

Wayne posted:

I trust that this is not an issue that reflects on Entrust alone, but reflects a need for the CA Issuers to be more thorough in their contact methods. To that end I'm keeping this as a comment in a relevant bug report rather than opening an additional one. As a general question is there a practice in the CA community of reviewing these records annually?

I am not aware if this is a practice. We will consider creating an annual review in our process to ensure the CCADB CA OWNER page is correct.

Rob Stradling posted:

Bruce Morton posted:

I am not aware if this is a practice. We will consider creating an annual review in our process to ensure the CCADB CA OWNER page is correct.

Chrome Root Program Policy v1.1 (published 1st June 2022) said (emphasis mine):
"Minimally, CA operators must ensure information stored in the CCADB is reviewed monthly and updated as needed."

That "reviewed monthly and updated" phrase persisted through to Chrome Root Program Policy v1.4, but was removed in v1.5 (the current version) because it had become redundant. The current requirement is even stricter than "monthly"...

The CCADB policy says (emphasis mine):
"Regardless of more specific provisions in these requirements, CA Owners have an overarching responsibility to keep the information in the CCADB about themselves, their operations and their certificates accurate, and to make updates in a timely fashion. Minimally, CA Owners with certificates included in a participating Store must ensure their information stored in the CCADB is kept up to date as changes occur."

Chrome Root Program Policy v1.5 (and v1.4) says (emphasis mine):
"Chrome Root Program Participants must...Follow the requirements defined in the CCADB policy...In instances where the CCADB policy conflicts with this policy, this policy must take precedence...When a timeline is not defined for a requirement specified within the CCADB policy, updates must be submitted to the CCADB within 14 calendar days of being completed."

I don't see any timeline defined in the CCADB policy regarding how quickly a CA must update its Problem Reporting Mechanism information in CCADB when any change occurs, which means that the effective requirement (for any CA that is a Chrome Root Program Participant) is 14 calendar days.

Wiggly Wayne DDS posted:

if you'll recall a mentioned a few days ago that entrust's contact info on ccadb is out of date.

so i may have been kind and lobbed a softball to entrust to get them to lower their guard over the weekend, and it's worked:

this was the only thing entrust responded to yesterday presumably given it seemed so innocent, anyway sectigo noticed:

thanks sectigo
thectigo

Volmarias posted:

At this point I just want someone to ask them about their stale ligma info, because I feel like it would work even better than anyone expected

Captain Foo posted:

please do not

Volmarias posted:

I will not touch the poop, I'm just imagining someone does.

Raymond T. Racing posted:

imagining is the same level of processes they have at the moment

SIGSEGV posted:

To be honest, posts and any other process, product or byproduct of human existence is in fact sickening and closely linked to poop.

Subjunctive posted:

…I’m still drafting my comment, hmm

Kovacs posted:

Assuming it's your comment I just read now...absolute banger.

My only comment is ccTLD restrictions would just not work in today's internet, or maybe it'd only work for the smaller territorial/gov CAs.

Subjunctive posted:

I think Amir’s proposal makes sense in a world where we’re still adding new roots: you get the keys to some domains at first, maybe your national ones and some of the new stuff, but you need to behave for a while before we trust you with .com.

I think the original discussion around ccTLD restriction was “well if the NL gov’t really wants to gently caress themselves, I guess we could limit to .nl” but it came back up the first time a Chinese organization wanted to be included so they could issue .cn stuff.

IIRC the root application asks prospective CAs what domains they plan to mint for already? maybe I’m misremembering

spankmeister posted:

whoa bugzilla does NOT play nice with safari in lockdown mode

aaomidi posted:

Did that entire thread just get nuked?

spankmeister posted:

whoa bugzilla does NOT play nice with safari in lockdown mode

aaomidi posted:

Someone activated an emergency "lockdown" mode?

Wiggly Wayne DDS posted:

i was submitting some non-entrust comment when it happened so i was worried i'd have 50 posts in a row, alas

Wiggly Wayne DDS posted:

bugzilla seems better now

Zamujasa posted: