Hi Peter, On 08/11/16 16:53, Peter Bowen wrote: > Can the "undisclosed" list be broken down further into "CA not > disclosed at all" versus "missing disclosure of some > cross-certificate"? > > For example, ACCVCA-130 is listed under both "Disclosed" and > "Unconstrained id-kp-serverAuth Trust". > https://crt.sh/?sha256=572bf899fd774362dc19219625ecc157bb55434ea5166d5758dc4b4f890d6653&opt=mozilladisclosure > (Disclosed) > https://crt.sh/?sha256=8f7cc455e9a5507804120655d7139186253e43b00422e734263a0769d2f89f7d&opt=mozilladisclosure > (Not Disclosed)
Both copies are now Disclosed for me. Have things changed since you posted this? > I was very confused about this aspect of the tool, as I know other CAs > were, because full audit details were provided for the subordinate CA. > The problem is that the Salesforce system is treating > cross-certificates as independent even if they have the same subject > info (DN, SKI, and KeyId). So the problem is that the issuer of the cross-cert needs to disclose, but if they don't, blame is attributed to the receiver of the cross-cert? > Why not focus first on the Root CA operators that have failed to > disclose _anything_? From the crt.sh report, it looks like Visa, > TurkTrust, SECOM Trust Systems Co. Ltd., RSA the Security Division of > EMC, Government of Taiwan: Government Root Certification Authority > (GRCA), Government of Japan: Ministry of Internal Affairs and > Communications, e-tugra, and certSIGN have entered zero disclosures. (That would lead to us ignoring 25 of the 90.) We could do that, although I'm not so concerned with being "fair" here, given the amount of notice everyone has had. There's also a bias in that those CAs which issued a lot of intermediates are more likely to get caught than those which work through only a few. But I'm not going to try and equalize for that either. > Have they responses to any CA communications? https://mozillacaprogram.secure.force.com/Communications/CACommSummaryReport?CommunicationID=a05o000000iHdtx (March 2016 CA Communication responses) shows responses from all of the CAs you list, and therefore... > Have they even > established Salesforce accounts? ....they must have established Salesforce accounts. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
