Brian, I was thinking it would be beneficial if ANSSI would provide a host:port that would have the bad chain installed. This allows for anyone to check if their browser has been updated to un-trust the intermediate. I make this suggestion in addition to the points you raise below, and I think it's fair to ask this of any CA that behaves badly.
One thing that would really help would be an attempt to document which
publicly-accessible websites are using certificates that chain (only) to the ANSSI root. I heard the claim that most French public government websites actually use certificates that chain to a different CA. That has led me to wonder how much the ANSSI root is actually used by public websites. Having a list of domains that use certs that chain to ANSSI root is likely to have some significant bearing on the decisions about what to do. But, it will be a while before I would have time to compile such a list. I think it would also help to document in this thread the ways we know that ANSSI is not complying with our CA program. Lack of OCSP AIA URI in the certificates is one example. Are there other ways that ANSSI is non-compliant? Cheers, Brian On Mon, Dec 9, 2013 at 1:18 PM, Eddy Nigg <[email protected]> wrote: > On 12/09/2013 11:12 PM, From Ryan Sleevi: > >> According to https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 >> (see the Responses section), this CA has indicated that they do not expect >> to begin operating in full compliance to the Baseline Requirements and to >> Mozilla's 2.1 Inclusion Policy until Dec 2015/January 2016. > > > Thanks Ryan - then we probably should understand what Mozilla does or > intends to do in such cases. Maybe this shows that something must be done > (when we are assuming that by today every CA is compliant already and this > should not be possible according to BR AND Mozilla's requirements). > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > XMPP: [email protected] > Blog: http://blog.startcom.org/ > Twitter: http://twitter.com/eddy_nigg > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
