I have updated the "Acceptable remediation" section of
https://wiki.mozilla.org/CA/Audit_Letter_Validation#Intermediate_Certificates
as follows.
I will greatly appreciate your review and input on this.
~~
Acceptable remediation:
Remediation may include one of the following when a
non-technically-constrained intermediate certificate is missing from an
audit statement. Note that Mozilla's Root Store Policy says: "If the CA
has a currently valid audit report at the time of creation of the
certificate, then the new certificate MUST appear on the CA's next
periodic audit reports."
- Have your auditor issue a revised report that includes the
intermediate certificate.
-- This will not be an acceptable remediation if the certificate has
been in existence for past audit periods.
-- This is an acceptable remediation when the certificate is self-signed
and has the same Subject and SPKI as other certificates listed in the
audit statement. For example, this can happen when Mozilla includes one
version of a root certificate, but another version of the root
certificate can be part of a valid chain constructed as: leaf -->
untrusted root --> trusted root.
- Revoke the intermediate certificate in accordance with Mozilla's Root
Store Policy.
-- If your CA decides not to revoke the certificate within the timeline
specified by section 4.9 of the BRs, then that is another incident,
which must be addressed in a separate Incident Report.
- If the intermediate certificate is technically capable but not
intended for TLS issuance, and revocation is not imminent, you may
request that Mozilla add it to OneCRL by adding a comment to the
Bugzilla bug with the request and sending email to Mozilla. Note: While
adding the certificate to OneCRL satisfies Mozilla's expectations for
remediation, it may not satisfy other root store programs. You are
advised to seek their guidance on this issue.
~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
