On Tuesday, November 8, 2016 at 8:19:15 AM UTC-8, Gervase Markham wrote: > Hi everyone, > > I'd like to take some action about persistent failures to properly > disclose intermediates. The deadline for this was June, and CAs have had > a number of reminders, so there's no excuse.
I've been exchanging email and working with just about all of these CAs. There have been a few problems in our Salesforce customization to work out, and there have been some questions about which intermediate certs needed to be disclosed (regarding different instances of essentially the same certificate). Anyways, hopefully this discussion will give those CAs additional incentive to finish getting their intermediate certs fully disclosed in the CA Community in Salesforce. And it is a good idea to figure out what the consequences will be of CAs not disclosing their intermediate certs in the CA Community in Salesforce. > There is also a list on that page of certs which CAs have disclosed but > not provided audit info, but given that you can get off that list by > putting _anything_ in the relevant box in Salesforce, I'm worried about > perverse incentives if we go after people on that list at the moment: > https://crt.sh/mozilla-disclosures#disclosureincomplete For these I would like to add customization/automation to Salesforce to notify CAs when their subCA info is incomplete or out of date (similar to the audit reminder emails that get sent monthly). But currently we are working on customizing and workflow in Salesforce for CAs to be able to directly provide annual updates regarding audit/CP/CPS information for their root certs. Cheers, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
