> On Aug 15, 2017, at 15:45, Ryan Sleevi via dev-security-policy > <[email protected]> wrote: > > I would note that any CA which does not or has not promptly revoked these > within 24 hours of contact should, at a minimum, contact all root programs > that they participate in to acknowledge this non-compliance and discuss > what expectations other, non-Mozilla Root Programs have with respect to > these certificates. Similarly, if such programs have requirements around > "Security Incident Reporting," that CAs are timely in such reports.
It’s worth noting that with the exception of the metadata-only subject fields issue, Alex and I have attempted to contact every CA listed directly via their public certificate problem reporting channels. In addition to this, the Mozilla Root Store policy requires all CAs to monitor this mailing list. So there are only two categories for a CA that has not taken action yet: 1) They are not monitoring either this list or their problem reporting channels (or in some cases, those channels are inoperative) and as a result are not aware of the issues; or 2) They are aware of the issues and have not taken action. I believe that both of these categories are extremely concerning. Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
