Closed
Bug 1271005
Opened 9 years ago
Closed 8 years ago
Request Let's Encrypt remove our domains from their blacklist
Categories
(Security Assurance :: General, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: gene, Assigned: gene)
References
Details
Once we've established certificate transparency monitoring (Bug 1270657), contact Let's Encrypt to request that our domains be removed from their blacklists.
The method to request Let's Encrypt remove our domains from the blacklist is to create a bug for Legal (Product: Legal, Component: Trademark) requesting a Mozilla attorney to produce a letter, on letterhead, asking for these changes, and send it to the ISRG/Let's Encrypt security@ email address. ISRG will then verify the attorney really sent it, and the change will take effect. This process comes from ( https://bugzilla.mozilla.org/show_bug.cgi?id=1251768#c41 ) and :ellee clarified how to contact legal in ( https://bugzilla.mozilla.org/show_bug.cgi?id=1251768#c54 )
|
Assignee | |
Comment 1•8 years ago
|
||
I've established certificate transparency monitoring which emits events into MozDef when new certificates are issued. We're still talking in Bug 1270657 about what to do with that data but the requirement for unblacklisting Lets Encrypt is satisfied.
Jeff Bryner has gotten the go ahead from security council so we're clear to be unblacklisted.
I'll open the bug with Legal and link it here.
|
|
Assignee | |
Comment 2•8 years ago
|
||
I've requested that Legal draft the letter to the ISRG in Bug 1300195
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(jbryner)
|
|
Assignee | |
Comment 4•8 years ago
|
||
letsencrypt has suggested we establish DNS CAA records (instead of having them manage the details of what we want blocked). They'll setup the blocks on their side but we should transition that responsibility to ourselves.
I've asked in this ticket if Akamai (DNS provider for some of our domains) now supports CAA records : https://bugzilla.mozilla.org/show_bug.cgi?id=882128#c59
|
|
Assignee | |
Comment 5•8 years ago
|
||
:jcj Now that the letter has been sent to ISRG ( https://bugzilla.mozilla.org/show_bug.cgi?id=1300195#c14 ) do you know if/how they will notify us that we've been unblacklisted?
Flags: needinfo?(jjones)
|
||
Comment 6•8 years ago
|
||
(In reply to Gene Wood [:gene] from comment #5)
> :jcj Now that the letter has been sent to ISRG (
> https://bugzilla.mozilla.org/show_bug.cgi?id=1300195#c14 ) do you know
> if/how they will notify us that we've been unblacklisted?
You and Jeff are going to get an email when it's official. I have reason to believe today's the day, however.
Flags: needinfo?(jjones)
|
|
||
Comment 7•8 years ago
|
||
OK, it's officially done. There'll be an email sometime... but it's done.
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 8•8 years ago
|
||
Excellent, I've tested it and confirmed it's working.
---------- Forwarded message ----------
From: Sheridan Roberts <sxxxxxxxxxxxxg>
Date: Thu, Sep 29, 2016 at 9:48 AM
Subject: Mozilla Blacklist Changes
To: Jeff Bryner <jxxxxxxxxxxxm>, Wood <gxxxxxxxxxxxxm>
Cc: Josh Aas <jxxxxxxxxxxxxxxg>
Hello,
The domain blacklist changes you submitted were reviewed by the security committee and have been implemented.
If you have any questions don't hesitate to ask.
Thanks,
Sheridan Roberts
Let's Encrypt
|
|
Assignee | |
Updated•8 years ago
|
Group: mozilla-employee-confidential
You need to log in
before you can comment on or make changes to this bug.
Description
•