Thanks. I'm still a little confused by the timeline and response, and the roles involved, and I appreciate the continued clarifications.
The initial report stated, in Comment #0
- 2019-05-15 9:00 PT - Code review identified that the software that checks certificates for Baseline compliance was not enforcing a max length of 64 characters for CNs.
- 2019-05-15 11:24 PT - The only two impacted certificates that were still valid were revoked by the developer who identified the issue
- 2019-05-21 14:30 PT - Compliance team was notified about the issue.
The latest response, in Comment #4, states
We offer a self-service portal for subscribers to revoke their own certificates, which was used by the developer (who was also the subscriber) to revoke the impacted certificates based on the subscriber's initial suspicion that a problem existed. After further analysis, the subscriber notified the compliance team.
I'm trying to understand the relationship of the events here. The later response seems to suggest it was a Subscriber Initiated revocation, and that's why compliance was not notified. However, the original response seems to very clearly indicate that there was a specific evaluation of the software that checks certificates for Baseline compliance.
That's why I'm still confused about why the compliance team was not notified during the code review process. Is it that Subscribers at Apple have access to perform code review themselves? That seems to be the only interpretation I can reach by the facts available, and I'm unclear if the Subscriber-who-requested-revocation was part of the CA operations in any capacity.
If the revocation-initiator is part of the CA team, then it suggests a process breakdown in involving the necessary teams when revoking for compliance teams, and suggests another issue here that needs remediation.
If the revocation-initiator is not part of the CA team (and is truly only a Subscriber), and may merely incidentally have access to read the CA software and perform their analysis', then the main issue is the lack of detection.
To be clear: I'm not trying to blame the revocation-initiator, but I'm trying to understand their role to understand what systemic safeguards could or should have existed. Any time any member of the CA team discovers an issue, the CA should have processes in place to ensure that's alerted to the Compliance team. If a member of the CA is performing revocation - even for their own certificates - that's the sort of thing you want to make sure you have some sort of review, auditing, or assessment on, to make sure that the aforementioned processes aren't failing - a second set of eyes looking into why it was revoked and making sure policies are followed.