All,
I appreciate you sharing your findings and opinions about this incident
and CA.
Based on some of the CA responses noted in the January CA
Communication[1], I have thought about constraining CAs that are unable
to meet the timelines that have been provided regarding compliance with
the Baseline Requirements and version 2.1 of Mozilla's CA Certificate
Policy[2]. This incident is a good example of why we should do this.
I would like to propose the following course of action for this CA, and
also propose that we take a similar course of action for other CAs who
are not able to meet the timelines[2].
Constrain the currently-included IGC/A root certificate to a certain set
of domains. I think the restriction needs to be along the lines of
*.gouv.fr.
Based on the list that Rob provided, there may be other domains that we
might consider including.
For example:
*.ac-martinique.fr
*.ac-creteil.fr
*.ac-orleans-tours.fr
*.education.fr
*.ac-poitiers.fr
Additionally, this CA has a root renewal request in progress[3]. As with
all root inclusion requests, the CA will be required to demonstrate
compliance with the BRs before the request can be approved.
Thanks,
Kathleen
[1] https://wiki.mozilla.org/CA:Communications#January_2013_Responses
[2]
https://wiki.mozilla.org/CA:CertPolicyUpdates#Transitioning_to_the_Updated_Policy_Version_2.1
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=693450
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
