On Mon, Jan 14, 2019 at 11:43 PM Matt Palmer via dev-security-policy < [email protected]> wrote:
> On Mon, Jan 14, 2019 at 05:18:18PM -0700, Wayne Thayer via > dev-security-policy wrote: > > * Fairly recent misissuance under the currently included Hong Kong Post > > Root CA 1: O and OU fields too long [4]. These certificates have all been > > revoked, but no incident report was ever filed. > > I think that, at the very least, all incidents against existing roots > should > be resolved to Mozilla's satisfaction before any new roots from the same > organisation are considered for inclusion. > > There were no unresolved incidents, but I just created one to document the misissued certificates that were revoked in August 2018 [1]. I agree that this should be resolved prior to approval. I think you and David are also suggesting that the CPS for existing roots must be updated to fix the suspension and revocation issues listed under "bad", and to clarify the external RA concern listed under "meh". - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1520299 [2] https://www.hongkongpost.gov.hk/product/cps/ecert/img/server_cps_en3.pdf - Matt > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
