One thing that would really help would be an attempt to document which publicly-accessible websites are using certificates that chain (only) to the ANSSI root. I heard the claim that most French public government websites actually use certificates that chain to a different CA. That has led me to wonder how much the ANSSI root is actually used by public websites. Having a list of domains that use certs that chain to ANSSI root is likely to have some significant bearing on the decisions about what to do. But, it will be a while before I would have time to compile such a list.
I think it would also help to document in this thread the ways we know that ANSSI is not complying with our CA program. Lack of OCSP AIA URI in the certificates is one example. Are there other ways that ANSSI is non-compliant? Cheers, Brian On Mon, Dec 9, 2013 at 1:18 PM, Eddy Nigg <[email protected]> wrote: > On 12/09/2013 11:12 PM, From Ryan Sleevi: > >> According to https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 >> (see the Responses section), this CA has indicated that they do not expect >> to begin operating in full compliance to the Baseline Requirements and to >> Mozilla's 2.1 Inclusion Policy until Dec 2015/January 2016. > > > Thanks Ryan - then we probably should understand what Mozilla does or > intends to do in such cases. Maybe this shows that something must be done > (when we are assuming that by today every CA is compliant already and this > should not be possible according to BR AND Mozilla's requirements). > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > XMPP: [email protected] > Blog: http://blog.startcom.org/ > Twitter: http://twitter.com/eddy_nigg > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
