https://crt.sh/mozilla-disclosures#undisclosed has listed
https://crt.sh/?id=160110886 for over 1 week.
This is a violation of section 5.3.2 of the Mozilla Root Store Policy
v2.5 [1], which says (emphasis mine):
"All certificates that are capable of being used to issue new
certificates, that are not technically constrained, and that directly or
transitively chain to a certificate included in Mozilla’s root program
MUST be audited in accordance with Mozilla’s Root Store Policy and MUST
be publicly disclosed in the CCADB by the CA that has their certificate
included in Mozilla’s root program. The CA with a certificate included
in Mozilla’s root program MUST disclose this information *within a week*
of certificate creation, and before any such subordinate CA is allowed
to issue certificates."
It's a self-signed root certificate, but nonetheless there exists a
signature chain up to an included root and so disclosure is required.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
