Unless I am greatly misunderstanding this certificate appears unsuited to 
actual use in a web server, due to the Common Name not in the least bit 
resembling a DNS name or IP address. So this is a pretty clear example of the 
situation where a CA has misunderstood Mozilla policy requirements concerning 
what would be "in scope" for the policy, rather than issuing certificates that 
obviously could be used for TLS while denying that they "intended" to do so.

The Transparency log shows nothing since 2016, maybe FNMT can tell us whether 
this means all issuance from the affected subCA has ceased? If so maybe a 
revocation (including via OneCRL) is in order.

During the previous m.d.s.policy discussion we were assured that audits should 
pick up any such issuance. Was such an audit performed between the date of the 
assurance and today? Did it pick this up? I think the answer to that question 
is important _regardless_ of action specific to this incident because it will 
help inform the future use of audit.
dev-security-policy mailing list

Reply via email to