[Wearing Sectigo hat] Andrew, thanks for filing [1]. Sectigo will provide a full response on that bug, but I'll just note here that we have updated the CCADB records for the cross-certificates such that the Audit and CP/CPS details are now consistent with the Web.com roots. As it happens, I was already aware of this inconsistency, but I'd delayed fixing it so that I could use it as a test case for...
[Wearing crt.sh hat] https://crt.sh/mozilla-disclosures now has two new buckets: - Disclosed, but with Inconsistent Audit details - Disclosed, but with Inconsistent CP/CPS details (I started discussing this new feature with Kathleen, Wayne and Sleevi off-list a few months ago, but I was not able to finish implementing it until a few days ago). I've also made the checks for the "Disclosure Incomplete" bucket stricter. Missing/incomplete disclosures of BR and/or EV audits are now flagged. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060 On 18/07/2019 21:46, Andrew Ayer via dev-security-policy wrote: > On Thu, 18 Jul 2019 11:40:31 -0700 > Wayne Thayer via dev-security-policy > <[email protected]> wrote: > >> Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of >> a bit of discussion. > > There's a third bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1567062 > > Like the GoDaddy case, the intermediate supposedly having the same > CP/CPS/audits as parent is not listed in the parent's audit report, so > this too looks like an incorrect disclosure. > > Regarding Sectigo and Web.com, although their CPSes use extremely > similar language, they are not consistent, since they list different > CAA domains. > > Regards, > Andrew -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
