Unless I am greatly misunderstanding this certificate appears unsuited to actual use in a web server, due to the Common Name not in the least bit resembling a DNS name or IP address. So this is a pretty clear example of the situation where a CA has misunderstood Mozilla policy requirements concerning what would be "in scope" for the policy, rather than issuing certificates that obviously could be used for TLS while denying that they "intended" to do so.
The Transparency log shows nothing since 2016, maybe FNMT can tell us whether this means all issuance from the affected subCA has ceased? If so maybe a revocation (including via OneCRL) is in order. During the previous m.d.s.policy discussion we were assured that audits should pick up any such issuance. Was such an audit performed between the date of the assurance and today? Did it pick this up? I think the answer to that question is important _regardless_ of action specific to this incident because it will help inform the future use of audit. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy