On 2/8/16 1:36 PM, Kurt Roeckx wrote:
On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote:
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the
root certificate. Then click on the 'Search' button. Then click on the 'Run
cablint' link. All errors must be resolved/fixed.
Test 2) Browse to https://cert-checker.allizom.org/ and enter the test
website and click on the 'Browse' button to provide the PEM file for the
root certificate. Then click on 'run certlint'. All errors must be
resolved/fixed.
I added these to item #15 of
https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
This has sparked some discussions in Bugzilla Bugs that I think we should
move here to mozilla.dev.security.policy so that everyone may benefit from
the resulting decisions.
So you're requesting this for new CAs? What about existing CAs?
Should we file bugs in bugzilla about the issues it found? Are
they supposed to look at it themself and fix things?
Kurt
Not much you can do about a currently-included root certificate other
than re-issue the root certificate which can cause many other problems.
We will let the currently-included root certificates remain as-is
(assuming proper CP/CPS/audits...), but all new root certificates must
pass the tests before they may be included.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy