On 08.10.2013 07:16, Kaspar Brand wrote: > On 06.10.2013 20:52, Brian Smith wrote: >> In the abstract, I support the removal of the EV indicator for certs >> from CAs that don't meet our requirements for OCSP, including the >> requirement that OCSP responders must return a signed "unknown" or >> signed "revoked" response for unknown certificates, > > Fine. So in the case of Verizon, why does Mozilla not proceed with > removing their EV enablement? Their EV issuing CA has been non-compliant > for 2 years, 9 months, and 8 days by now. No wiggle room for any > discussion about effective dates etc., they undisputably failed to > implement a mandatory component of their revocation infrastructure (and > were certainly aware of this requirement in 2009, see > https://groups.google.com/d/msg/mozilla.dev.security.policy/x_cuezl71OI/lt-ftQ0jmFoJ).
Another 10 days have passed without any apparent sign of Mozilla's willingness to address the case of the non-existence of an OCSP responder for the Cybertrust SureServer EV CA. Let me quote again from the Mozilla CA Certificate Policy: CA Certificate Enforcement Policy, Version 2.2, item 2: > Mozilla may, at its sole discretion, disable (partially or fully) or > remove a certificate at any time and for any reason. Mozilla will > disable or remove a certificate if the CA demonstrates ongoing or > egregious practices that do not maintain the level of service that > was established in the Inclusion Section of the Mozilla CA > Certificate Policy or that do not comply with the requirements of the > Maintenance Section of the Mozilla CA Certificate Policy. CA Certificate Inclusion Policy, Version 2.2, item 19: > We have appointed a CA certificate "module owner" and (optionally) > one or more "peers" to evaluate CA requests on our behalf and make > decisions regarding all matters relating to CA certificates included > in our products. CAs or others objecting to a particular decision may > appeal to the Mozilla governance module owner or peer(s), who will > make a final decision. Will Mozilla at least make its decision re: keeping the EV enablement for Verizon public? Otherwise, the CA Certificate Policy is definitely becoming nothing but a farce (cf. e.g. item 2 of the Inclusion Policy, "a public process, based on objective and verifiable criteria"), and the Enforcement Policy in particular will remain a paper tiger in all eternity. Kaspar _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
