On 05/09/16 23:58, Peter Bowen wrote: > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", as I > believe that the issuer should be able to rely upon the audit reports > and continued inclusion in the Mozilla trust store as prima facie > evidence of compliance with Mozilla policy. > > 2) If Mozilla decides to take action that results in WoSign no longer > being directly trusted, do those CAs with unrevoked unexpired > cross-signs bear responsibility for any future mis-issuance by WoSign? > > My view is the answer is yes, as WoSign would be a subordinate CA > rather than a peer being cross-signed. The Mozilla policy makes it > clear that "All certificates that are capable of being used to issue > new certificates, and which directly or transitively chain to a > certificate included in Mozilla’s CA Certificate Program, MUST be > operated in accordance with Mozilla’s CA Certificate Policy".
After consultation, Mozilla's CA team agrees with your views. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
