Thank you for the incident report Pedro. On Thu, Nov 1, 2018 at 1:36 AM Pedro Fuentes via dev-security-policy < [email protected]> wrote:
> > This intermediate was created under a new Root and its main purpose was to > issue the required test certificates to request inclusion. As the Root was > not yet included in CCADB when the Intermediate was created and therefore > could not be disclosed normally, we didn't follow our standard procedure. > Additionally, the Intermediate has not been yet put into production and > not linked yet to our certificate management platform, so we didn't do the > additional verifications before first issuances. > > Finally the new Root was included by Mozilla in mid August 2018, and at > that point we should have detected the issue, but our process didn't > consider this situation and we failed to notice the problem. > > Nevertheless, it must be also understood that for a new Intermediate under > a Root not yet in CCADB it doesn't seem possible to fully follow section > 5.3.2 (The CA with a certificate included in Mozilla’s root program MUST > disclose this information within a week of certificate creation, and before > any such subordinate CA is allowed to issue certificates) because at that > point (and until some months later) the parent Root wouldn't be considered > in CCADB and in my understanding it's technically not possible to add > subordinate CAs. > > We totally assume our mistake, as we should have proactively verified > compliance with the Mozilla Policy once the new Root was activated in CCADB > and detect ourselves the lack of disclosure of this intermediate, even > before the new Root was included in the Mozilla Program, but as explained > our procedure didn't consider this situation. > > This is good feedback. We may add a step to the Mozilla root inclusion process that explicitly calls out the need for all unconstrained intermediates to be disclosed in CCADB when a root is added to CCADB. - Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
