On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > However, I think it is fine for Certinomis to cross-sign with new StartCom > subCA certs, as long as Certinomis ensures that Mozilla's Root Store > Policy is being followed.
... which they didn't. So there's that. > > 1) Many of the certificates are improperly validated “test” > > certificates, a practice that is extremely problematic and indicates a > > lack of or circumvention of technical controls. > > Yes, this is problematic. But other CAs have also had this problem, and > for the other CAs we have worked with them to ensure the practice is > stopped, tools/process put in place to prevent it in the future, > problematic certs revoked, etc. But this type of mis-issuance has not yet > been considered grounds for adding the relevant intermediate cert to > OneCRL. Those are CAs which have been operational for some time though, and which have certificates "in the wild" which would be distrusted, correct? That's a somewhat different case to this one, where nothing important is hanging off the intermediate, so distrusting it doesn't hurt relying parties, only the CA -- which is fine, because it's the CA's fault the distrust is required, so it's entirely self-inflicted pain. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy