Thank you Rob. On Tue, Oct 9, 2018 at 3:43 AM Rob Stradling via dev-security-policy < [email protected]> wrote:
> "ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs > of the Mozilla Root Store Policy requirement [2] that > non-technically-constrained intermediate CA certificates... > "MUST be publicly disclosed in the CCADB by the CA that has their > certificate included in Mozilla's root program. The CA with a > certificate included in Mozilla's root program MUST disclose this > information within a week of certificate creation, and before any > such subordinate CA is allowed to issue certificates." > > In their responses to "ACTION 6" [3], most CAs indicated that... > "We are aware of the requirements for intermediate certificate > disclosure and have processes in place to ensure that these > requirements are met" > > In fact, every CA except Trustis (no longer issuing certificates) and Certicamara (still hasn't responded) indicated that they comply with this policy. There are currently 20 undisclosed non-technically-constrained > intermediates, belonging to 6 Root Owners, on "Rob's naughty list" [4] > (snapshot at [5]). All 20 were undisclosed and listed (on [4]) on the > day the responses to [1] were due (September 30th), which means that > they have not been disclosed "within a week of certificate creation". > > So, ISTM that the "processes in place to ensure that these requirements > are met" are insufficient/broken for at least the following Root Owners: > - Certicámara > These are the same four that I reported to Certicamara back in April via https://bugzilla.mozilla.org/show_bug.cgi?id=1455128 I emailed them yesterday about this and their failure to respond to the September CA Communication. - DigiCert > Looks like DigiCert disclosed these within a few hours of your email. - DocuSign (OpenTrust/Keynectis) > I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1497700 - SECOM Trust Systems CO., LTD. > - SwissSign AG > This is incredibly disappointing given https://bugzilla.mozilla.org/show_bug.cgi?id=1455132 (among other recent SwissSign issues) - Telia Company (formerly TeliaSonera) > > I reopened https://bugzilla.mozilla.org/show_bug.cgi?id=1451953 This is also disappointing given Telia's other recent issues. Wayne, Kathleen: > Given the number of times that all the CAs in Mozilla's Root Program > have been reminded about Mozilla's requirements for disclosing > intermediate certs, I wouldn't blame you if you decided to add these 20 > intermediate certs [5] to OneCRL immediately! > > I think we should give this serious consideration, although it doesn't help with the majority of these that are trusted for email. > > [1] > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL > > [2] > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited > > [3] > > https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079 > > [4] https://crt.sh/mozilla-disclosures#undisclosed > > [5] https://crt.sh/reports/20181009_MozillaDisclosures.html#undisclosed > > -- > Rob Stradling > Senior Research & Development Scientist > Email: [email protected] > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
