Our Policy Management Authority completed review of this and numerous other changes on September 8. The GeoTrust and Thawte CPS updated that day. The Symantec CP and CPS were updated the following day
Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of > Andrew Ayer via dev-security-policy > Sent: Friday, September 08, 2017 3:25 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] CAs not compliant with CAA CP/CPS requirement > > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy > and/or Certification Practice Statement (section 4.1 for CAs still conforming > to RFC 2527) SHALL state the CA's policy or practice on processing CAA > Records for Fully Qualified Domain Names; that policy shall be consistent > with these Requirements. It shall clearly specify the set of Issuer Domain > Names that the CA recognises in CAA 'issue' or 'issuewild' records as > permitting it to issue. The CA SHALL log all actions taken, if any, consistent > with its processing practice." > > Since it is now 8 September 2017, I decided to spot check the CP/CPSes of > some CAs. > > At time of writing, the latest published CP/CPSes of the following CAs are > not compliant with the above provision of the BRs: > > Amazon > (https://clicktime.symantec.com/a/1/NmZ9sYttj7vKv6t18I35QRQ0FMHxkP > NpP8WSJXL-eYo=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fwww.amazontrust.com% > 2Frepository%2F) - Does not check CAA > > Comodo > (https://clicktime.symantec.com/a/1/7dk4IPNLHeQgWaoO8HJ5ksv2_spTr > Mwd0vsOAxU735E=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fwww.comodo.com%2Fab > out%2Fcomodo-agreements.php) - Does not specify issuer domain names > > DigiCert > (https://clicktime.symantec.com/a/1/xlVibpoycRtW78OkiI3usE639u_3QGd > RehxP5QhPWPs=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fwww.digicert.com%2Flega > l-repository%2F) - Does not specify issuer domain names, and processing is > not compliant with BRs ("If a CAA record exists that does not list DigiCert as > an authorized CA, DigiCert verifies that the applicant has authorized > issuance, despite the CAA record.") > > Google Trust Services > (https://clicktime.symantec.com/a/1/FDXLCPoMms9u5GaLDCj2Qk1jqwAV > PQjmvvu2wergGPg=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fpki.goog%2F) - Does not > check CAA > > Identrust (https://clicktime.symantec.com/a/1/- > hcYCELwi2ejxzoC9hWCgVYMAFr-ZM4ljorelCgIGqk=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fsecure.identrust.com%2Fc > ertificates%2Fpolicy%2Fts%2F) - Does not check CAA > > Izenpe > (https://clicktime.symantec.com/a/1/rYqUc_qRKY4blxAGv9xFxvih7S63pYA > eLinge-EcDwc=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=http%3A%2F%2Fwww.izenpe.eus%2Fs15- > content%2Fen%2Fcontenidos%2Finformacion%2Fdescarga_certificados% > 2Fes_url%2Findex.shtml) > - Does not specify issuer domain names > > PROCERT > (https://clicktime.symantec.com/a/1/7xdOIzVW4boEbcHOOcsSGdvozW55 > uoAXAljTofZmAuI=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fwww.procert.net.ve%2Fe > ng%2Fca.html) - No mention of CAA > > Symantec / GeoTrust > (https://www.geotrust.com/resources/repository/legal/) > - Does not specify issuer domain names > > Trustis (https://clicktime.symantec.com/a/1/Vk89t9pNBDlkAVCPqcKrLK0- > hPifAuLS3kKdvI0AR4g=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Fwww.trustis.com%2Fpki% > 2Ftrustis-ssl%2Fstandard%2Findex.htm) - No mention of CAA > > Visa > (https://clicktime.symantec.com/a/1/mvNLT7xKtkanc1YM0_r9UaxeWkwn > 2kTSosynf1ug0W8=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=http%3A%2F%2Fwww.visa.com%2Fpki%2F) > - Does not check CAA > > > These CAs have compliant CP/CPSes: > > Entrust > > GlobalSign > > GoDaddy > > Let's Encrypt > > QuoVadis > > Trustwave > > > It would be nice to hear confirmation from the non-compliant CAs that they > really are checking CAA as required, and if so, why they overlooked the > requirement to update their CP/CPS. > > Regards, > Andrew > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/wZ_VElpAabP9B_4iDGV0AGxwpR0i4zx > QTmS25XXGbgU=?d=zu- > OWyaepWo9aCiMKjwr_Mpk4cgBKZV809pQKiSOuM3HCRZv0YTyzv9- > gtKYjE_ERhEPC5j03wspJwAD4li2UOxAGHhETJWCGtzKlfXxGQLL2HNwx5Xqij > SYUlRc5C1CkmOZFwcAwAZvkRfXUWHpJfR33lZYK3iYtpD8t39Q7rqXydnBQ > BL618AIpfNXYKPDaQJCqQlYMht4TC2jgbN3Rjgop8ONMaQi52cLQecwyH_S > IHxrAuOmMYlc6mR9d9rhGxg_OtQjib6ZG8F1wAwDcLX7L3PuzzQ7HSw3PO > RbIh6pk4zjCf82u_iftEUSCG3OQrrwYYOZkdGhTM592FLJ4VHMfK- > 4eLpWYyI9-34iNLgu-RMpKedB_9X7prQsOgeQIvH-9jN6T4OyOQeh- > o00JBr6kYjJXpNaIaUfWYo1GjkxmdtxeLK4brTdhhPD2BpC1Q9t_YpQBoP6s > 1eRu6EjgQZ7KQ%3D%3D&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo > %2Fdev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
