Yet more undisclosed intermediates

[Rob Stradling via dev-security-policy]

"ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs 
of the Mozilla Root Store Policy requirement [2] that 
non-technically-constrained intermediate CA certificates...
   "MUST be publicly disclosed in the CCADB by the CA that has their
    certificate included in Mozilla's root program. The CA with a
    certificate included in Mozilla's root program MUST disclose this
    information within a week of certificate creation, and before any
    such subordinate CA is allowed to issue certificates."

In their responses to "ACTION 6" [3], most CAs indicated that...
   "We are aware of the requirements for intermediate certificate
    disclosure and have processes in place to ensure that these
    requirements are met"

There are currently 20 undisclosed non-technically-constrained 
intermediates, belonging to 6 Root Owners, on "Rob's naughty list" [4] 
(snapshot at [5]).  All 20 were undisclosed and listed (on [4]) on the 
day the responses to [1] were due (September 30th), which means that 
they have not been disclosed "within a week of certificate creation".

So, ISTM that the "processes in place to ensure that these requirements 
are met" are insufficient/broken for at least the following Root Owners:
   - Certicámara
   - DigiCert
   - DocuSign (OpenTrust/Keynectis)
   - SECOM Trust Systems CO., LTD.
   - SwissSign AG
   - Telia Company (formerly TeliaSonera)

Wayne, Kathleen:
Given the number of times that all the CAs in Mozilla's Root Program 
have been reminded about Mozilla's requirements for disclosing 
intermediate certs, I wouldn't blame you if you decided to add these 20 
intermediate certs [5] to OneCRL immediately!


[1] 
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL

[2] 
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited

[3] 
https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079

[4] https://crt.sh/mozilla-disclosures#undisclosed

[5] https://crt.sh/reports/20181009_MozillaDisclosures.html#undisclosed

-- 
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy