On 03/11/16 19:34, Jeremy Rowley wrote: <snip> Hi Jeremy.
7. The Belgium government is our biggest challenge in migrating Verizon customers. With over 20 issuing CAs, Belgium has the largest outstanding non-compliant infrastructure. The operators have also claimed that revoking their issuing CAs is illegal (in Belgium). The government is using the issuing CA for creating personal identification (e-ID) cards throughout the country. The Belgium government has dictated that they set the rules, not us. Although the Belgium government does not have an audit yet, Verizon has represented that the issuing CAs are hosted in the Verizon infrastructure and are potentially covered by the Verizon audit.
I've noticed that some of the Belgian government CAs have been disclosed to the CCADB with the CP/CPS and Audit fields marked as "Same as Parent", whereas the CP/CPS and Audit fields for the rest of those CAs have not yet been filled in.
If it's true that all of "the issuing CAs are hosted in the Verizon infrastructure and are potentially covered by the Verizon audit", then it would seem reasonable to expect to see the CP/CPS and Audit details for all of the Belgian government CAs set identically. Right?
Using the data on crt.sh (from which https://crt.sh/mozilla-disclosures is produced), I've summarized the current Belgian government CA disclosures in this spreadsheet:
https://docs.google.com/spreadsheets/d/1K4DEjqKvC5r_aiUGDYvbJBPVSOm8E6MO6RJQoj9zbrY/edit?usp=sharing Were the "Same as Parent" tickboxes ticked correctly, or in error?
We've asked Verizon to provide an updated audit report showing coverage of the Belgium issuing CAs by December 1, 2016. If the report is not delivered by December 1, 2016, we plan to immediately revoke the issuing CAs.
I note that you did not "immediately revoke" the issuing CAs on December 1, 2016. Does this mean that Verizon did provide "an updated audit report showing coverage of the Belgium issuing CAs" to DigiCert?
If, for whatever reason, we are unable to revoke the issuing CAs at that time, we would certainly not object to the browsers distrusting the issuing CAs issued to Belgium.
Are you able to complete the Belgian government CA disclosures yet (either by revoking the issuing CAs or by updating the CP/CPS and Audit details as appropriate)?
Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy