On 24/03/15 00:00, Peter Bowen wrote:
> Is there any data on this intermediate?
>
> - Was it publicly disclosed as per Mozilla's unconstrained subordinate policy?
Kathleen would need to say to be certain, but my understanding is no.
> - Was it issued since their latest complete audit period ended and, if
> not, did their auditor flag it?
It was issued:
Validity
Not Before: Mar 19 06:20:09 2015 GMT
Not After : Apr 3 06:20:09 2015 GMT
I presume that is since their last audit.
> - What response has their been from CNNIC on this issue? How do they
> explain issuing a subordinate CA certificate with a private key not
> being on a HSM meeting the Baseline Requirements?
Good question. For those following along, this is Baseline Requirements
16.6:
16.6 Private Key Protection
The CA SHALL protect its Private Key in a system or device that has been
validated as meeting at least FIPS 140 level 3 or an appropriate Common
Criteria Protection Profile or Security Target, EAL 4 (or higher), which
includes requirements to protect the Private Key and other assets
against known threats. The CA SHALL implement physical and logical
safeguards to prevent unauthorized certificate issuance. Protection of
the Private Key outside the validated system or device specified above
MUST consist of physical security, encryption, or a combination of both,
implemented in a manner that prevents disclosure of the Private Key.
(And, just to be clear, from the definitions: "Certification Authority:
An organization that is responsible for the creation, issuance,
revocation, and management of Certificates. The term applies equally
to both Roots CAs and Subordinate CAs.")
> - How many other CA certs has CNNIC issued which are not stored on HSMs?
Unknown.
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
