On Tue, Feb 09, 2016 at 04:24:22AM -0800, Erwann Abalea wrote: > Bonjour, > > Le mardi 9 février 2016 10:47:16 UTC+1, Jesus F a écrit : > > Dear all, > > > > As A-Trust request EV treatment, I checked the EV issued certificates from > > a-sign-SSL-EV-05 subordinate in ctr.sh > > (https://crt.sh/?Identity=%25&iCAID=6096) > > > > ALL of them states in businessCategory the following text "V1.0, Clause > > 5.(X)". This text is similar to what permitted by EV guidelines version 1.2 > > and prior, although "X" should have been "b", "c", "d" or "e" depending > > upon whether the Subject qualifies in the permitted categories. This text > > is not permitted since EV guidelines version 1.3 published in 2010. > > > > As the EV audit conducted by E&Y states A-trust is in compliance with > > "WebTrust Principles and Criteria for Certification Authorities - Extended > > Validation SSL - Version 1.4.5" that is based on CA/Browser Forum > > Guidelines for the Issuance and Management of Extended Validation SSL > > Certificates - Version 1.4.5 and it's obvious that the auditor failed to > > detect this very basic issue, can we, the Mozilla Community, be reasonably > > assured of any of the auditor's necessary checks? > > > > In addition there are several more issues in this certificates: > > > > - rfc822Name in SAN (https://crt.sh/?id=8889537&opt=cablint, > > https://crt.sh/?id=8889537&opt=cablint) > > - FATAL: ASN.1 Error in EmailAddress > > (https://crt.sh/?id=12491213&opt=cablint, > > https://crt.sh/?id=9410992&opt=cablint) > > - This cert has the following errors: Cert without subject alternative > > names extension, Cert of 1024 bits (https://crt.sh/?id=8935972&opt=cablint) > > Without saying that the audit was perfect, but all the presented evidences > here have been produced after the audit was performed.
I may be misunderstanding the purpose of an audit, but doesn't the fact that the evidence was created after the audit was performed show that the audit was, in fact, insufficient? To my way of thinking, an audit is supposed to verify that things can *only* be done in a conformant manner -- that is, that there are procedures and controls in place to prevent Bad Things from happening. In this case, it is fairly clear that Bad Things have, in fact, happened, based on the existence of certificates issued in contravention of the BRs. Thus, the CA's procedures are insufficient, and the audit *should* have found that, or else the audit is useless and unnecessary, and we should just rely on catching bad happenings after the fact via CT. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
