Define how quickly CAs must report revocation of intermediate cert

[WilsonKathleen]

Now that CAs can provide their revoked intermediate cert data via the Common CA Database, we should add a requirement for them to provide this data within a certain amount of time after the revocation.

Reference:
https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce

[WilsonKathleen]

Another reference:
https://wiki.mozilla.org/CA:ImprovingRevocation#When_To_Notify_Mozilla

[gerv]

This is in the draft CCADB policy:

"If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."

[WilsonKathleen]

What if the intermediate certificate is revoked due to a security reason?
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#enforcement
"1. When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the Mozilla Policy for Handling Security Bugs should be followed."

Is it sufficiently clear that if the CA revokes an intermediate certificate for a security reason, then the CA must send email to security@mozilla.org within 24 hours?
If not, does that belong in the CCADB policy? Or in Mozilla's CA Certificate Policy?
Is it possible that there could be a security situation in which we would need to create a private security bug and add the information to OneCRL before it is disclosed publicly via CCADB?

[gerv]

Is it sufficiently clear that if the CA revokes an intermediate certificate for a security reason, then the CA must send email to security@mozilla.org within 24 hours?

Yes - that part is in the Mozilla-specific CCADB policy.

Is it possible that there could be a security situation in which we would need to create a private security bug and add the information to OneCRL before it is disclosed publicly via CCADB?

I don't know; is there? :-) If there is, we may need to define a different process.

[jvehent]

I would note that OneCRL is a public collection: once it's published to Firefox, the cat is out of the bag.
We do have the ability to stage confidential changes though.

[WilsonKathleen]

Is it sufficiently clear that if the CA revokes an intermediate certificate for a security reason,
then the CA must send email to security@mozilla.org within 24 hours?

Yes - that part is in the Mozilla-specific CCADB policy.

Sorry, I should have said: "Is it sufficiently clear in Mozilla's CA Certificate Policy..."
Because I don't think that is specific to the CCADB, so I don't think it belongs in the CCADB policy.

[gerv]

@WilsonKathleen: All CAs in our program use the CCADB, right? So, once we start using the CCADB policy and Mozilla CCADB policy, those documents will be as much part of our root program policy as the current main policy document is.

The need to email security@mozilla.org is not, in one sense, specific to the CCADB, but all of the other steps which they need to take when revoking an intermediate certificate are in the CCADB policy, so it makes some sense to put this step in there as well, IMO.

[gerv]

I think this is all OK as it is.