If the information in the responses from May 2014 isn't also reflected in the CPS/CP, that may indeed be a violation of Mozilla policy on some level.
As others have said, Mozilla is also actively collecting up to date information about subCAs. Though not the CA's CPS/CP, these annual (I think) surveys do still give some idea of what subCAs each CA has and provides a secondary point of disclosure. For the responses collected in May 2014, refer to the spreadsheet here: https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml (I also duplicated the data from the first sheet above in a public spreadsheet which you can easily save a copy of here: https://docs.google.com/spreadsheets/d/1O0bGml-bR71YaHM8eiF7j-p0q7gBg2s5rJ7ZVDwLzBg/edit?usp=sharing) As this information is collected/disclosed, Mozilla typically posts it to their CA:Communications wiki page: https://wiki.mozilla.org/CA:Communications On Saturday, May 2, 2015 at 11:36:30 AM UTC-6, Matthew Pun wrote: > The Mozilla CA Certificate Policy requires that all subordinate CAs which > chains to Mozilla-accepted root CAs be technically constrained or publicly > disclosed and audited. Regarding public disclosure, it further specifies that: > > "The Certificate Policy or Certification Practice Statement of the CA that > has their certificate included in Mozilla's CA Certificate Program must > specify where on that CA's website all such public disclosures are located." > > I checked several large CAs, which all have unconstrained subCAs, and could > not find such a statement in their CPS or CP. > > CyberTrust (https://cybertrust.omniroot.com/repository) does not appear to > have disclosed its subCAs anywhere. > GeoTrust (https://www.geotrust.com/resources/repository/legal) has disclosed > its subCAs in a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1019860). > Comodo (https://www.comodo.com/about/comodo-agreements.php) and Entrust > (http://www.entrust.net/CPS) have disclosed the list on their > web sites but does not refer to the disclosure in their CPS/CP. > > Are these not violations of Mozilla policy? Or am I missing something? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
