On 24/03/15 00:00, Peter Bowen wrote: > Is there any data on this intermediate? > > - Was it publicly disclosed as per Mozilla's unconstrained subordinate policy?
Kathleen would need to say to be certain, but my understanding is no. > - Was it issued since their latest complete audit period ended and, if > not, did their auditor flag it? It was issued: Validity Not Before: Mar 19 06:20:09 2015 GMT Not After : Apr 3 06:20:09 2015 GMT I presume that is since their last audit. > - What response has their been from CNNIC on this issue? How do they > explain issuing a subordinate CA certificate with a private key not > being on a HSM meeting the Baseline Requirements? Good question. For those following along, this is Baseline Requirements 16.6: 16.6 Private Key Protection The CA SHALL protect its Private Key in a system or device that has been validated as meeting at least FIPS 140 level 3 or an appropriate Common Criteria Protection Profile or Security Target, EAL 4 (or higher), which includes requirements to protect the Private Key and other assets against known threats. The CA SHALL implement physical and logical safeguards to prevent unauthorized certificate issuance. Protection of the Private Key outside the validated system or device specified above MUST consist of physical security, encryption, or a combination of both, implemented in a manner that prevents disclosure of the Private Key. (And, just to be clear, from the definitions: "Certification Authority: An organization that is responsible for the creation, issuance, revocation, and management of Certificates. The term applies equally to both Roots CAs and Subordinate CAs.") > - How many other CA certs has CNNIC issued which are not stored on HSMs? Unknown. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy