On 09/11/16 17:36, Kathleen Wilson wrote: > On Wednesday, November 9, 2016 at 4:16:56 AM UTC-8, Rob Stradling wrote: >> To have reached the incorrect conclusion that they'd "properly followed >> the requirement", a CA would've presumably either... >> 1. Looked at https://crt.sh/mozilla-disclosures#undisclosed, noticed >> that one or more of their intermediates was marked as "Disclosure is >> required!", but decided to ignore it. > > Or thought it was incorrect. For example, there were some self-signed root > certs that were marked as disclosure is required. Those have been added as > intermediate certs for now...
Those undisclosed self-signed roots were signed by private keys that also correspond to self-signed roots that are trusted by NSS. Therefore, the undisclosed certs chain to the trusted ones. And therefore, they are required to be disclosed, according to your policy AIUI. IINM, the CAs who have encountered this particular issue have been talking to you about it. That means that it wasn't the case that they "decided to ignore it", which is good! > Or got errors when trying to upload the certs to Salesforce. I still have > several of these in my inbox to work through. > > Please note that the RSA root certificate is schedule for removal in the > December batch of root changes via > https://bugzilla.mozilla.org/show_bug.cgi?id=1283326 > So I'm ignoring these: RSA the Security Division of EMC 18 Thanks for sharing that info. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
