10 of the 12 test certificates are misissued because they contain empty SCT extensions. Per RFC 6962 Section 3.3, SCT extensions MUST contain at least one SCT.
I'm very concerned that the primary use for this CA will be issuing certificates for embedded systems such as set top boxes, cable modems, IoT devices, and the like. Embedded systems tend to run out-of-date software which never receives updates. Historically, using publicly-trusted certificates with embedded systems has harmed the WebPKI by holding back progress and creating perverse incentives for CAs to misissue certificates for compatibility with old devices. I would ask CommScope to describe in detail: 1. How CommScope will ensure that the devices which use their certificates stay up-to-date with TLS and WebPKI ecosystem improvements. 2. How the certificates on these devices will be replaced in the event that an arbitrarily large number of certificates need to be revoked within the timelines specified by BR 4.9.1. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20230901100906.a52da91845a439cf95108038%40andrewayer.name.
