If I'm reading this correctly, these certificates are for internal services, not publicly accessible. Could they add their intermediate directly to these trust stores, allowing you to revoke it?
Failing that, it sounds like OneCRL would be an appropriate remedy. Alex On Thu, Aug 3, 2017 at 10:38 AM, Ben Wilson via dev-security-policy < email@example.com> wrote: > Nick and Mozilla Community, > > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations: > > Good Evening Ben, > > About the problem with the certificate you recently notified us, I > confirm you that we have replaced the certificates today, so we have now > revoked the wrong one. > > Concerning the CA revocation, first of all, I want to underline that for us > it would be a major issue: we don't have enough time and resources to > replace all the certificates before the end of the year and the revocation > of the CA will cause us several critical operating problems with our > infrastructural services. > > Moreover, I would like to inform you that in order to rationalize our > infrastructure and create new synergy between our suppliers, we've planned > to move our certificates to an Italian CA outsourcer. We have already > started this activity and our intent is to complete the migration before > the > end of the year, to respect the contract we have settled, with deadline > December, 31st 2017. > > Therefore I have to kindly recommend you not to revoke the CA, before the > end of the contract, because it will cause several problems to the Bank and > to our users (customers and colleagues). > > We are available to set up a call conference with you to discuss the > matter. > Looking forward to hear from you. > > Best regards, > Riccardo D'Agostini > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > Behalf Of Ben Wilson via dev-security-policy > Sent: Thursday, August 3, 2017 7:33 AM > To: Nick Lamb <tialara...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Certificate with invalid dnsName issued from Baltimore > intermediate > > That would be fine. Also, we have given Intesa Sanpaolo a scheduled > revocation date of 15 August 2017, and I'm waiting to hear back. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On > Behalf Of Nick Lamb via dev-security-policy > Sent: Wednesday, August 2, 2017 10:34 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Certificate with invalid dnsName issued from Baltimore > intermediate > > On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson wrote: > > Nick, > > We are in discussions with Intesa Sanpaolo about implementing/pursuing > > OneCRL or a similar approach (e.g. outright revocation of the CAs). > > Thanks, > > Ben > > Is there any progress on this? To be honest I was more meaning that Mozilla > (Gerv?) should just add this subCA to OneCRL and be done with it. > > _______________________________________________ > dev-security-policy mailing list > firstname.lastname@example.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > email@example.com > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy