Unless I am greatly misunderstanding this certificate appears unsuited to
actual use in a web server, due to the Common Name not in the least bit
resembling a DNS name or IP address. So this is a pretty clear example of the
situation where a CA has misunderstood Mozilla policy requirements concerning
what would be "in scope" for the policy, rather than issuing certificates that
obviously could be used for TLS while denying that they "intended" to do so.
The Transparency log shows nothing since 2016, maybe FNMT can tell us whether
this means all issuance from the affected subCA has ceased? If so maybe a
revocation (including via OneCRL) is in order.
During the previous m.d.s.policy discussion we were assured that audits should
pick up any such issuance. Was such an audit performed between the date of the
assurance and today? Did it pick this up? I think the answer to that question
is important _regardless_ of action specific to this incident because it will
help inform the future use of audit.
dev-security-policy mailing list