I'm fairly confused by your answers, if the only thing you tested in production was CT, why was the system issuing non-compliant certs? Why did production CT testing come before having established, tested, and verified a compliant certificate profile?
Alex On Fri, Sep 15, 2017 at 10:35 AM, Inigo Barreira via dev-security-policy < [email protected]> wrote: > > On 15/09/17 11:01, Inigo Barreira wrote: > > > Considering that we were distrusted, that we didn´t reapply for > > > inclussion, that CT is only required by Chrome and it´s not included > > > in the Mozilla policy (even we were requested that all of our certs > > > had to be CT logged) nor required by Firefox, that those certs were > > > under our control all the time and lived for some minutes because were > > > revoked inmediately, at that time, when we did it, we didn´t expect > > > this reaction for sure. > > > > But surely CT testing is not the only sort of testing you've been doing? > > Yes, this is the only test we did it in production > > > E.g. you made some test certificates with different types of ECC curve, > which > > you then had to revoke some of as against browser policies. > > No, those weren´t tests. We allowed the use of curves permitted by the BRs > but this issue came up in the mozilla policy (I think Arkadiusz posted) and > I also asked about it in the last CABF F2F (I asked Ryan about it) and > then, with that outcome and as the browsers didn´t accept them, we revoked > and then not allow the issuance. I think the discussion is still active > (i.e. the use of P-521). > > > If these had been in a testing hierarchy there would have been no > problem. > > > > CAs have been heavily criticised over the past few years for issuing test > > certificates in public hierarchies (see e.g. Symantec). The danger of > doing so > > should be well known to all CAs by now. > > Yes, I know. But the only testing we did in production was the one related > to the CT. > > > > Perhaps once a test has been passed and checked in a testing system, and > if > > the certificates concerned do not violate any policies, it could be > repeated on > > a production system to deal with any possible differences between the > two. > > But starting with the production system is not a good idea. > > True, but it seems you´re understanding that we have only a production > system in which we test everything and this is not the case. Before moving > anything into production, we have tested in development and in the QA > system. > > > > Gerv > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
