On Tue, Nov 8, 2016 at 8:18 AM, Gervase Markham <[email protected]> wrote: > I'd like to take some action about persistent failures to properly > disclose intermediates. The deadline for this was June, and CAs have had > a number of reminders, so there's no excuse. > > Of course, if intermediates aren't disclosed, we can't be certain what > they are, but crt.sh has a good idea of many of them: > https://crt.sh/mozilla-disclosures#undisclosed > > There is also a list on that page of certs which CAs have disclosed but > not provided audit info, but given that you can get off that list by > putting _anything_ in the relevant box in Salesforce, I'm worried about > perverse incentives if we go after people on that list at the moment: > https://crt.sh/mozilla-disclosures#disclosureincomplete
Based on data this morning, it looks like there are only two left on that undisclosed list. One of them is RSA, who is already scheduled for removal. The other is TurkTrust, which announced they are leaving the server auth cert business: https://cabforum.org/pipermail/public/2016-September/008475.html So it seems this problem has resolved itself. No need to invent random selection schemes. Now, the real fun is going to be seeing if the supplied audit report URLs actually point to reports and if all the CAs claimed to be covered are actually covered ;) Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
