Re: Consequences for non-compliant certificates

Wed, 09 Oct 2013 01:31:04 -0700 

On 09.10.2013 02:04, Kathleen Wilson wrote:
> Then, to turn EV treatment back on, the CA would have to provide their 
> new BR and EV audit statements (showing that the problem has been fixed) 
> and re-request EV-treatment.

Like I wrote in the last paragraph of my message on 6 October, yes.

> Perhaps this is something we should consider adding to the policy?

Why do you want to blow up the policy even more? The following
paragraph from the enforcement policy is completely sufficient grounds
for disabling EV treatment for Cybertrust:

> Mozilla may, at its sole discretion, disable (partially or fully) or
> remove a certificate at any time and for any reason. Mozilla will
> disable or remove a certificate if the CA demonstrates ongoing or
> egregious practices that do not maintain the level of service that
> was established in the Inclusion Section of the Mozilla CA
> Certificate Policy or that do not comply with the requirements of the
> Maintenance Section of the Mozilla CA Certificate Policy.

Kaspar


Messages with attachments apparently don't find their way into the
newsgroup, so here's the attachment from my previous message again,
this time inline:


diff --git a/security/manager/ssl/src/nsIdentityChecking.cpp 
b/security/manager/ssl/src/nsIdentityChecking.cpp
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -135,27 +146,16 @@ static struct nsMyTrustedEVInfo myTruste
     "FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D",
     "MGAxCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP"
     "LixMVEQuMSowKAYDVQQLEyFTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RD"
     "QTE=",
     "AA==",
     nullptr
   },
   {
-    // CN=Cybertrust Global Root,O=Cybertrust, Inc
-    "1.3.6.1.4.1.6334.1.100.1",
-    "Cybertrust EV OID",
-    SEC_OID_UNKNOWN,
-    "5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6",
-    "MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz"
-    "dCBHbG9iYWwgUm9vdA==",
-    "BAAAAAABD4WqLUg=",
-    nullptr
-  },
-  {
     // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
     "2.16.756.1.89.1.2.1.1",
     "SwissSign EV OID",
     SEC_OID_UNKNOWN,
     "D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61",
     "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT"
     "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=",
     "ALtAHEP1Xk+w",

_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to