On Wed, Apr 27, 2016 at 8:41 PM, Peter Bowen <[email protected]> wrote:
> As far as I can tell, SalesForce does not have a way to show multiple > certificates for one CA. So it is entirely possible to have all CAs > disclosed but not have all CA certificates disclosed. (Some of the > edges in the graph may not be present) > > Does disclosing all CAs meet the policy or does there need to be an > update to support disclosing additional certificates? > Policy saith: """ All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy <https://github.com/mozilla/ca-policy/blob/master/index.html> and MUST either be *technically constrained* or be *publicly disclosed and audited*. """ That reads to me to say that all certificates that might be used in building a chain to a trusted root need to be disclosed, not just one per CA. If our SalesForce system doesn't support multiple certs per CA, we might have to come with a work-around until it does. --Richard > > On Wed, Apr 27, 2016 at 5:19 PM, Richard Barnes <[email protected]> > wrote: > > I think it was pulled this afternoon, but I don't know if SalesForce > updates > > the report. > > > > In any case, this is being provided as a guide to CA to help them make > sure > > they get everything, not to place blame on anyone for being on the > list. Of > > course, as we get closer to June 30... > > > > On Wed, Apr 27, 2016 at 8:17 PM, Peter Bowen <[email protected]> wrote: > >> > >> When was the Salesforce data pulled? I see several in that list I > >> entered a while ago. > >> > >> On Wed, Apr 27, 2016 at 5:15 PM, Richard Barnes <[email protected]> > >> wrote: > >> > Dear CAs, > >> > > >> > As you guys are working toward the June 30 deadline for disclosing > >> > intermediate certificates in SalesForce, I thought I would share some > >> > notes > >> > on the undisclosed certificates that we're seeing, so that you can > make > >> > sure you get them all uploaded. > >> > > >> > Zakir Durumeric from UMich/Censys.io has helpfully compiled a list of > CA > >> > certificates that have been observed in Censys scans of the Internet, > >> > and > >> > noted which of those certificates are not in SalesForce so far. > >> > > >> > I've posted the list here for your reference: > >> > https://gist.github.com/bifurcation/bf994d9fc3753f78472da8233da1fe52 > >> > > >> > Note that this list is static, so if you add a certificate to > >> > SalesForce, > >> > it won't instantly disappear from this list. But we'll try to update > it > >> > every so often as we approach June 30, and will notify this list when > we > >> > do. > >> > > >> > Cheers, > >> > --Richard > >> > _______________________________________________ > >> > dev-security-policy mailing list > >> > [email protected] > >> > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
