Not many websites, but all of the Belgium ID cards would end up being revoked.
Although Belgium is only issuing client certs, the issuing CA is not technically constrained, meaning a BR, Network security, and standard WebTrust audit is required. We are currently waiting for the results of the audit report. Jeremy -----Original Message----- From: dev-security-policy [mailto:firstname.lastname@example.org .org] On Behalf Of Kurt Roeckx Sent: Monday, January 9, 2017 9:54 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Update on transition of the Verizon roots and issuance of SHA1 certificates On 2017-01-09 17:28, Rob Stradling wrote: > On 03/11/16 19:34, Jeremy Rowley wrote: > <snip> > > Hi Jeremy. > >> 7. The Belgium government is our biggest challenge in migrating >> Verizon customers. With over 20 issuing CAs, Belgium has the largest >> outstanding non-compliant infrastructure. The operators have also >> claimed that revoking their issuing CAs is illegal (in Belgium). The >> government is using the issuing CA for creating personal >> identification (e-ID) cards throughout the country. The Belgium >> government has dictated that they set the rules, not us. Although the >> Belgium government does not have an audit yet, Verizon has >> represented that the issuing CAs are hosted in the Verizon >> infrastructure and are potentially covered by the Verizon audit. > > I've noticed that some of the Belgian government CAs have been > disclosed to the CCADB with the CP/CPS and Audit fields marked as > "Same as Parent", whereas the CP/CPS and Audit fields for the rest of > those CAs have not yet been filled in. Note that the Belgium root CA's information is available at: http://repository.eid.belgium.be/index.php?lang=en As far as I know, most of the certificates are for (client) authentication and signatures as used by the government itself and some websites that make use of it. Those should already be set up to trust that root for client authentication. I think I also found some websites, but most actually use a different CA. So it seems unlikely that many public websites would get broken by revoking it. Kurt _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy