I think most CAs do monitor issuance by sub CAs. However, Verizon was not monitoring them for these type of issuance. We are currently trying to transition everyone to DigiCert, including getting better reporting in place for their issuance activities. There is no policy requiring better monitoring of Sub CAs if they have their own audit, which each of these subCAs have. Typically, these are ETSI audits. However, I would support a policy (either at Mozilla or the CAB Forum) that did require better monitoring of sub CAs.
From: Steve Schultze [mailto:sjschul...@gmail.com] Sent: Wednesday, February 3, 2016 9:05 PM To: Jeremy Rowley Cc: Rick Andrews; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: More SHA-1 certs Are CAs really not monitoring issuance of certs by their sub-CAs for simple violations like this? Does this not violate a Mozilla or CAB Forum policy? Should it? On Mon, Feb 1, 2016 at 1:41 PM, Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > wrote: Same with DigiCert. This is a sub CA issued by Verizon. We've reached out to the customer to investigate why they had the issue and what they are doing to remediate. We will provide details once we receive them. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> =digicert.com@lists.mozilla .org] On Behalf Of Rick Andrews Sent: Monday, February 1, 2016 11:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: More SHA-1 certs On Sunday, January 31, 2016 at 9:47:53 AM UTC-8, Peter Bowen wrote: > These are all in the last week > > Sub-CA under SHECA (which has applied to be in the Mozilla program) > https://crt.sh/?id=12367776 <https://crt.sh/?id=12367776&opt=cablint> > &opt=cablint > > Sub-CA under DigiCert > https://crt.sh/?id=12460684 <https://crt.sh/?id=12460684&opt=cablint> > &opt=cablint > > Sub-CA under Symantec > https://crt.sh/?id=12456194 <https://crt.sh/?id=12456194&opt=cablint> > &opt=cablint > https://crt.sh/?id=12434313 <https://crt.sh/?id=12434313&opt=cablint> > &opt=cablint The Sub-CA under Symantec is managed by one of our customers. We've reached out to them and we're investigating. More detail to follow. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
