On Tue, Nov 8, 2016 at 10:17 AM, Gervase Markham <[email protected]> wrote: > Hi Peter, > > On 08/11/16 16:53, Peter Bowen wrote: >> Can the "undisclosed" list be broken down further into "CA not >> disclosed at all" versus "missing disclosure of some >> cross-certificate"? >> >> For example, ACCVCA-130 is listed under both "Disclosed" and >> "Unconstrained id-kp-serverAuth Trust". >> https://crt.sh/?sha256=572bf899fd774362dc19219625ecc157bb55434ea5166d5758dc4b4f890d6653&opt=mozilladisclosure >> (Disclosed) >> https://crt.sh/?sha256=8f7cc455e9a5507804120655d7139186253e43b00422e734263a0769d2f89f7d&opt=mozilladisclosure >> (Not Disclosed) > > Both copies are now Disclosed for me. Have things changed since you > posted this?
Apparently so. Try this set of three instead: https://crt.sh/?sha256=cd74198d4c23e4701dea579892321b9e4f47a08bd8374710b899aad1495a4b35&opt=mozilladisclosure (Disclosed) https://crt.sh/?sha256=870ed91b908c831672003003d451d2eccc13721531129a12f19a4266ce66f935&opt=mozilladisclosure (Not disclosed) https://crt.sh/?sha256=376da371d590fed38a0d47bcbae142b04a510373d2976a69348ad1c160f889a0&opt=mozilladisclosure (Not disclosed) This shows the issue -- all have the same subject info (DN, SKI, and KeyId). >> I was very confused about this aspect of the tool, as I know other CAs >> were, because full audit details were provided for the subordinate CA. >> The problem is that the Salesforce system is treating >> cross-certificates as independent even if they have the same subject >> info (DN, SKI, and KeyId). > > So the problem is that the issuer of the cross-cert needs to disclose, > but if they don't, blame is attributed to the receiver of the cross-cert? No, the problem is that the Issuer reported their subCA but Salesforce links the audit info to certificates not to CAs. In the above example, there are three different CA certificates with the same issuer and subject, so the same (sub)CA is in both a "disclosed" and "not disclosed" state. >> Why not focus first on the Root CA operators that have failed to >> disclose _anything_? From the crt.sh report, it looks like Visa, >> TurkTrust, SECOM Trust Systems Co. Ltd., RSA the Security Division of >> EMC, Government of Taiwan: Government Root Certification Authority >> (GRCA), Government of Japan: Ministry of Internal Affairs and >> Communications, e-tugra, and certSIGN have entered zero disclosures. > > (That would lead to us ignoring 25 of the 90.) We could do that, > although I'm not so concerned with being "fair" here, given the amount > of notice everyone has had. There's also a bias in that those CAs which > issued a lot of intermediates are more likely to get caught than those > which work through only a few. But I'm not going to try and equalize for > that either. > >> Have they responses to any CA communications? > > https://mozillacaprogram.secure.force.com/Communications/CACommSummaryReport?CommunicationID=a05o000000iHdtx > (March 2016 CA Communication responses) shows responses from all of the > CAs you list, and therefore... > >> Have they even >> established Salesforce accounts? > > ....they must have established Salesforce accounts. > > Gerv > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
