Closed Bug 1271005 Opened 8 years ago Closed 8 years ago

Request Let's Encrypt remove our domains from their blacklist

Categories

(Security Assurance :: General, task)

x86_64
Linux
task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: gene, Assigned: gene)

References

Details

Once we've established certificate transparency monitoring (Bug 1270657), contact Let's Encrypt to request that our domains be removed from their blacklists.

The method to request Let's Encrypt remove our domains from the blacklist is to create a bug for Legal (Product: Legal, Component: Trademark) requesting a Mozilla attorney to produce a letter, on letterhead, asking for these changes, and send it to the ISRG/Let's Encrypt security@ email address. ISRG will then verify the attorney really sent it, and the change will take effect. This process comes from ( https://bugzilla.mozilla.org/show_bug.cgi?id=1251768#c41 ) and :ellee clarified how to contact legal in ( https://bugzilla.mozilla.org/show_bug.cgi?id=1251768#c54 )
I've established certificate transparency monitoring which emits events into MozDef when new certificates are issued. We're still talking in Bug 1270657 about what to do with that data but the requirement for unblacklisting Lets Encrypt is satisfied.

Jeff Bryner has gotten the go ahead from security council so we're clear to be unblacklisted.

I'll open the bug with Legal and link it here.
No longer depends on: 1270657
See Also: → 1270657
I've requested that Legal draft the letter to the ISRG in Bug 1300195
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
No longer blocks: 1205728
Flags: needinfo?(jbryner)
r+
Flags: needinfo?(jbryner)
letsencrypt has suggested we establish DNS CAA records (instead of having them manage the details of what we want blocked). They'll setup the blocks on their side but we should transition that responsibility to ourselves.

I've asked in this ticket if Akamai (DNS provider for some of our domains) now supports CAA records : https://bugzilla.mozilla.org/show_bug.cgi?id=882128#c59
:jcj Now that the letter has been sent to ISRG ( https://bugzilla.mozilla.org/show_bug.cgi?id=1300195#c14 ) do you know if/how they will notify us that we've been unblacklisted?
Flags: needinfo?(jjones)
(In reply to Gene Wood [:gene] from comment #5)
> :jcj Now that the letter has been sent to ISRG (
> https://bugzilla.mozilla.org/show_bug.cgi?id=1300195#c14 ) do you know
> if/how they will notify us that we've been unblacklisted?

You and Jeff are going to get an email when it's official. I have reason to believe today's the day, however.
Flags: needinfo?(jjones)
OK, it's officially done. There'll be an email sometime... but it's done.
Status: RESOLVED → VERIFIED
Excellent, I've tested it and confirmed it's working.

---------- Forwarded message ----------
From: Sheridan Roberts <sxxxxxxxxxxxxg>
Date: Thu, Sep 29, 2016 at 9:48 AM
Subject: Mozilla Blacklist Changes
To: Jeff Bryner <jxxxxxxxxxxxm>, Wood <gxxxxxxxxxxxxm>
Cc: Josh Aas <jxxxxxxxxxxxxxxg>


Hello,

The domain blacklist changes you submitted were reviewed by the security committee and have been implemented.

If you have any questions don't hesitate to ask.

Thanks,

Sheridan Roberts
Let's Encrypt
Group: mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.