Hi Rob,
there are two intermediate certification authorities on your missing list (CA Disig I2 Certification Service and CA Disig I1 Certification Service) which are no more capable to issue a new SSL certificate and which are no more directly chain to a certificate included in Mozilla's CA Certificate Program. According to the Mozilla CA Certificate Inclusion Policy (Version 2.2): "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla's CA Certificate Program, MUST be operated in accordance with Mozilla's CA Certificate Policy and MUST either be technically constrained or be publicly disclosed and audited." The root for that intermediates (CA Disig) was removed from Mozilla's CA Certificate Program (see https://bugzilla.mozilla.org/show_bug.cgi?id=1247711) due the expiration. Regards Peter Miskovic --------------------------------- Peter Miskovic CA Chief Operating Officer Disig, a.s., Zahradnicka 151, 821 08 Bratislava 2, Slovakia phone +421 2 20 85 01 50 [email protected]<mailto:[email protected]> www.disig.sk<http://www.disig.sk/> -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+peter.miskovic=disig...@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Tuesday, May 17, 2016 12:31 AM To: Kathleen Wilson <[email protected]>; [email protected] Subject: Re: CSV Format of CA Program reports Thanks Kathleen. PublicAllIntermediateCertsCSV is missing quite a few entries compared to my own CSV export of the "All Public Intermediate Certs" report. I've reviewed the differences. It looks like you're now omitting incomplete records and records for intermediates that didn't actually need to be disclosed. I presume this is deliberate change, and I think it makes sense. In case anyone's interested, here's a list of the currently disclosed intermediates that aren't in PublicAllIntermediateCertsCSV: https://docs.google.com/spreadsheets/d/1nd2ie-JsS2CxMOX5nBGQgQEelhmkq-OcTKkvCe4U42Q/edit?usp=sharing One oddity: Some intermediates (e.g. https://crt.sh/?id=17014784) contain the EKU extension with the MS SGC and/or NS Step-Up OIDs and _not_ id-kp-serverAuthentication. The policy says that these don't need to be disclosed, but Firefox does trust them as issuers of server authentication certs. On 16/05/16 19:27, Kathleen Wilson wrote: > The new reports are at the following new links. A couple columns were added: > 'Parent Name', 'SHA-256 Fingerprint'. > > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCert > s > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCert > sCSV > > I have also updated the links in wiki page. > https://wiki.mozilla.org/CA:SubordinateCAcerts > > Thanks, > Kathleen -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
