On 12/14/15 19:56, Eli Spitzer wrote: > On Monday, December 14, 2015 at 8:59:03 PM UTC+2, Charles Reiss wrote: >> On 12/14/15 17:56, Eli Spitzer wrote: >>> The SubCA "Comsign Ev SSL CA" is at its initial development stages. It >>> was indeed created under "Comsign Global Root CA", but so far we only >>> issued a handful of test certificates from it. We have no plans to issue >>> public certificates from it at the moment, since the EV trust bit will >>> not be active any time soon. >> >> Mozilla's policy requires subCAs to be publicly disclosed "before any [] >> subordinate CA is allowed to issue certificates." How was this performed >> for this subCA? >> > > The request to add "Comsign Global Root CA" was submitted to Mozilla on > 2014-11-30. The Comsign CA Hierarchy details was submitted to Mozilla on > 2015-05-21 On both dates there was no SubCA called "Comsign EV SSL CA" in > existence. It was created on 2015-09-24, as can be seen in the certificate > that you have found. Since this Root CA request is taking very long time to > progress, naturally some processes and taking place in Comsign over time, and > we are committed to disclose any development to Mozilla. However, this SubCA > has never issued any certificate to end-entities other than Comsign itself. > Moreover, this SubCA may even be revoked soon before it will ever do so, > since for now it is strictly for testing purposes. It is possible to say that > it was a simple oversight, but in fact this SubCA does not ever fall under > the requirement of the policy that it will not be "allowed to issue > certificates" - since Comsign is not even considering to issue any > certificate from it before we have the EV trust bit.
The existence of test certificates which chain to this subordinate CA certificate (like the one censys.io found) clearly puts it in the scope of Mozilla's disclosure policy. Mozilla's policy says "issue certificates", not "issue non-test certificates" or "issue certificates to third-parties". _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
