On 08/11/16 19:08, Peter Bowen wrote: > On Tue, Nov 8, 2016 at 11:05 AM, Gervase Markham <[email protected]> wrote: >> On 08/11/16 18:25, Peter Bowen wrote: >>> No, the problem is that the Issuer reported their subCA but Salesforce >>> links the audit info to certificates not to CAs. In the above >>> example, there are three different CA certificates with the same >>> issuer and subject, so the same (sub)CA is in both a "disclosed" and >>> "not disclosed" state. >> >> Is it possible to fix the display by uploading the other two versions of >> the cert and duplicating the audit info? > > Yes, that is how one fixes it. But I'm worried that CAs may think > they properly followed the requirement and then find themselves > penalized.
To have reached the incorrect conclusion that they'd "properly followed the requirement", a CA would've presumably either... 1. Looked at https://crt.sh/mozilla-disclosures#undisclosed, noticed that one or more of their intermediates was marked as "Disclosure is required!", but decided to ignore it. ...or... 2. Not bothered to look at https://crt.sh/mozilla-disclosures#undisclosed at all, even though its existence has been communicated many times on this list. Is that fair? > Hence my suggestion to focus on CAs that clearly have not > even attempted to follow the requirement. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
