On 5/6/20 5:19 AM, Ryan Sleevi wrote:
Should we be creating CA incidents for repeats? I wasn’t sure if this was
just an administrative hiccup on the Mozilla side in processing the case,
or if this is a matter where the CA is not disclosing in a timely fashion.
CAs directly add audit information to intermediate certificate records
in the CCADB, so there is no dependency on the Mozilla side for this.
https://wiki.mozilla.org/CA/Email_templates#Outdated_Audit_Statements_for_Intermediate_Certificates
"This email is automatically sent by the CCADB on the first Tuesday of
each month to CAs who have outdated audit statements in their
intermediate cert records. An audit statement is determined to be
outdated when its Audit Period End Date is older than 1 year + 3 months."
Last year I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1549861
regarding Camerfirma not providing updated audit statements for their
subCAs.
This year Camerfirma received one notice for the outdated audit
statement for an intermediate cert, before they fixed it.
I didn't post the "Summary of April 2020 Outdated Audit Statements for
Intermediate Certs" here in m.d.s.p, because it was empty. But perhaps I
should post those empty summaries as well.
Anyways, my preference is to file a CA incident bug whenever a CA
receives more than one of these "Outdated Audit Statements for
Intermediate Certs" reminders for consecutive months.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
