Am 2013-12-09 22:12, schrieb Ryan Sleevi: > According to https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 > (see the Responses section), this CA has indicated that they do not expect > to begin operating in full compliance to the Baseline Requirements and to > Mozilla's 2.1 Inclusion Policy until Dec 2015/January 2016.
Until this, I was willing to give them the benefit of doubt and hear the explanation for the misissuance. However, given that this CA is unable to fulfill basic requirements and doesn't intend to be able to do so for two more years, despite the announcement already being a year old, I think this is neither necessary nor appropriate. The recent events have demonstrated that this CA has much more serious issues than some paperwork. The cert chain <https://www.imperialviolet.org/binary/anssi-chain.txt> published recently convinces me further that this CA needs to go ASAP. One important change in the inclusion policy is that SubCAs need to be technically constrained or publicly disclosed and audited. This is to prevent exactly what happened here. We have now discovered a chain of *four* unconstrained Sub-CAs, and the CA has only requested blocking of the last one. We don't know how many other unconstrained Sub-CAs this CA has created, and they are obviously not being handled well. Erwann has pointed out other egregious examples of non-compliance. The number of sites using the CA could be an argument in favor of removal if it is low (since that would mean the CA provides little benefit to our users), but I think the reasons mentioned above are already much more than we need. The level of usage should absolutely not be an argument against removal. It certainly isn't "too big to fail" (i.e. it won't "break the web" for the regular user), and the violations are egregious enough that we cannot tolerate them. Also, we may want to set hard deadline in future CA communications, which will lead to removal of the CA if ignored. This should also be applied to the already announced policy upgrade. Does six months from the announcement that there is now a hard deadline sound reasonable for compliance (not for compliance and audit)? The ones that did specify a date would stay within the range except for: - IGC/A (the CA being discussed here, end 2015) - Hongkong Post (mid 2015) - RSA ValiCert (end 2014) I suspect that one of the reasons why the transition is taking so long is because we tolerate it. If the CAs *had* to, I think they would manage to do it in an acceptable timeframe. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
