Hi Nick, I expect that our auditors would have noticed and reported if we had not tried to comply with 7.1.4.2.1. Our next WebTrust audit starts shortly and I anticipate that the criteria used will be "WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.1" http://www.webtrust.org/principles-and-criteria/item83666.pdf Those criteria specifically call out 7.1.4.2.1 and the 1 October 2016 date.
Regards Robin Alden Comodo > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+robin=comodo....@lists.mozilla.org] On Behalf Of Nick Lamb > Sent: 09 January 2017 16:41 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Compliance with 7.1.4.2.1 (internal names revocation) > > On Monday, 9 January 2017 14:05:25 UTC, Robin Alden wrote: > > Nick, > > Thanks for the heads-up. > > We agree that the certificates you found should have been revoked. > > Thank you Robin for investigating this, for your explanation of what > happened and for the sensible response of CT logging and revoking the > affected certificates. Please pass on my thanks to any additional people at > Comodo who made that happen. > > It would also be good to know (if you have relevant insight) whether you > would expect your auditors to > > a) Notice and report if Comodo had not even tried to comply with this > element of 7.1.4.2.1 > OR > b) Notice and report the type of mistake made here, in which a process was > followed to attempt compliance but it missed a proportion of affected > certificates. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy