Hi, this is my reply in the bugzilla
Hi all, what Fanck is saying is true and we haven´t started to issue any cert using this new path. Regarding the info that is in this bug I´m really shocked because the majority of them are revoked and don´t understand why have been included here. For those which are not revoked are due to use different curves (P-384, P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB Forum and there´s no conclusion yet, but in any case we´re not allowing to use them anymore. There´re curves allowed in the BRs that Mozilla does not include. 1. The un-revoked test certificates are those pre-sign ones with uncompleted ctlog. So they are not completed certificates. https://crt.sh/?opt=cablint&id=134843670 https://crt.sh/?opt=cablint&id=134843674 https://crt.sh/?opt=cablint&id=134843685 https://crt.sh/?opt=cablint&id=139640371 2. Other un-revoked certificates have the same error ERROR: Unallowed key usage for EC public key (Key Encipherment) https://crt.sh/?opt=cablint&id=153404034 https://crt.sh/?opt=cablint&id=160150786 https://crt.sh/?opt=cablint&id=149445010 https://crt.sh/?opt=cablint&id=150133570 And what I don´t understand are those comments of "very sloppy isuance practices" , "many non-BR compliants", "specially given the historic issues with StartCom" and consider them very unfair. These are subjective opinions which are very dangerous and not fair. This is a totally new system that is not related with "the historic issues" at all, so whatever happened in the past is not related (and we could talk a lot of why StartCom was distrusted in the past), only the name is the same. Some of the issues are also related what has been discussing in the CABF related to the Unicode and punnycode in domanins, etc. and even there´s no conclussion as the ballot failed, we decided to revoke those to avoid issues but you include them here as non BR compliants and very sloppy issuance practices. Finally I´d like to understand also why has been asked to create OneCRL entries for these subCAs. I may think this post and some other comments in the m.d.s.p are malicious and don´t know why. Regards Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Franck Leroy via dev-security-policy Sent: jueves, 3 de agosto de 2017 9:59 To: [email protected] Subject: Re: StartCom cross-signs disclosed by Certinomis Hello, the 2 CA certificates signed by Certinomis has been retained till a full successful webtrust audit. On end of June the audit report form PwC was available but with still some minor issues. I asked StartCom to correct them. On July 14th the audit report and the policy were updated and published on StartCom website. The first of August I received the agreement from my management to send the CA certificates to StartCom. So I disclose them in the CCADB, with the corresponding policy documents and audit reports before sending them to Inigo. So StartCom was not able to use the path our Root before yesterday. If there are some previous issued TLS certificates that does not comply with BR, then theses TLS certificates has to be revoked. Best regards Franck Leroy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
