Audit and Problems with Mozilla


#1

I am reading very intresting and very important stuff in the firefox bugtracker.

https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
and
https://bugzilla.mozilla.org/show_bug.cgi?id=1230797

they seem to plan to distrust LE explicity if there wont be the complete audit within the timelimit which is “within ninety (90) days of issuing the first Publicly-Trusted Certificate.” the first public LE Cert is for helloworld which was issued sep 12 20:22:00 UTC and as it’s conveniently valid for 90 days we can just take the expiration as timelimit for the audit which is dec 11 20:22:00 the the way, that is

since the cert has changed now, here’s the data from CT:
https://crt.sh/?id=9314793

as this spells out serious trouble I just want to ask how the audit is going.


Problem with openssl and verify CAfile
#2

The second issue was opened by someone outside of Mozilla (who happens to be a commercial CA reseller, I wonder what his motives are). It’s already been closed with “RESOLVED INVALID”. It’s just FUD. No one from Mozilla has in any way indicated that there’s a problem.


#3

thanks @My1 for sharing that !


#4

how should I have known that, it’s not as if everyone of mozilla runs around with a badge, similar to here.

see above, but even more, some ppl run around with their CAs (as some from startcom) but he had just his name there.

for now. the baseline requirements still stand so they need to have an audit within 90 days from the first cert.

what’s a fud?

Baseline 8.1 states

The point-in-time readiness assessment SHALL be completed no earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates and SHALL be followed by a complete audit under such scheme within ninety (90) days of issuing the first Publicly-Trusted Certificate.

shall = must for the people who arent that good in english.
in short they need a readiness assessment (which already happened) and after that they must geta full audit within 90 days after first cert.


#5

At least some of the discussion seems to be that the finalized audit can be completed on a longer timeframe.

It’s an acronym standing for Fear Uncertainty and Doubt.

~~ For those terms, I always recommend to refer to RFC 2119, which states:

SHOULD: This word, or the adjective “RECOMMENDED”, mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

The word “MUST” is defined separately. ~~

Edit: I doesn’t read guud. Ignore the above definition complaint. (The bad grammar is intentional. Also, why doesn’t this support strikethrough formatting?)


#6

If you’re correcting someone, do it correctly: the term “SHALL” is defined in the same paragraph as “MUST”: 1. (They are equal.) He didn’t say anything about “SHOULD” :wink:


#7

omg that one made my day


#8

No one said you should have known those things, that’s why I replied. Mozilla’s response to the issue seems to indicate that their interpretation of the policies is that LE has more than 90 days to provide the audit report to them. I would be surprised if a project co-founded and sponsored by Mozilla would somehow forget about Mozilla policies.


#9

yes but the audit itself still has to be done in 90 days after first cert, and the audit time is most certainly written in the baseline requirements, and that is friday.

also I think if they would have gotten such an important step completed I think it would be in the blog by long.


#10

It would not be completed until they got a report. Announcing that it’s completed is like telling everyone in your family you completed some college class while you’re still waiting for the report on your last exam (which you might have failed) - doesn’t really mean much.


#11

the point is they have to have it completed and gotten their report within 90 days iirc, but the point is that it doesnt exactly matter when LE gives the report to mozilla. that’s how I think it is.


#12

Shall
Did you know that “shall” is the most misused word in all of legal language? It is. In the current edition of Words and Phrases, “shall” alone is followed by 109 pages of case squibs, and “shall” phrases cover 45 more pages. Yet its misuse is one of the most heavily repeated errors in all of law.

Here’s where lawyers go wrong: When “shall” is used to describe a status, to describe future actions, or to seemingly impose an obligation on an inanimate object, it’s being used incorrectly. For example, all of these are wrong:
Status: “Full capacity” shall have the following meaning . . .
Future action: If . . . then the contract price shall be increased . . .
Faulty imposing of obligation: The remaining oil shall be sold by lessee . . .
To correctly use “shall,” confine it to the meaning “has a duty to” and use it to impose a duty on a capable actor. Bryan A. Garner, A Dictionary of Modern Legal Usage 940–941 (2d ed., Oxford U. Press 1995). Here’s how:
Lessee shall sell the remaining oil . . .
In other words–
Lessee [an actor capable of carrying out an obligation] shall [has a duty to] sell the remaining oil . . .
Some suggest that lawyers are incapable of using “shall” correctly, so we ought to banish it entirely. Michèle M. Asprey, Shall Must Go, 3 Scribes J. Leg. Writing 79 (1992). One recommendation is to use “must” instead. Of course, you cannot search and replace every “shall” with “must.” Scrutinize each use carefully


#13

As far as I understand… they have till this weekend to complete a full audit. They have 30 more days to file the full report. If they fail, IdenTrust would have to revoke the cert.


#14

Also see Independent audits of Let's Encrypt finished


#15

here also the direct links to the docs.

just got mail from mozilla tracker and read the stuff myself: