Well, the use of P-521 is not compliant to Mozilla but it is to the BRs, so don´t understand what you mean. I think we´re not the only one which has issued certs using P-521 for example, and I assume that all other CAs have tested, established and verified their certs are compliant.
We´re seeing everyone made mistakes, mis-issuances, and I think all have tested everything. Regarding the use of these curves, I think even Gerv said in August to leave the policy as it is, the BRs still allows the use. After checking that was “incorrect” we revoked the certs and set the new conditions not allowing them. Since July we don´t use these curves, which is a month before Mozilla decission. Best regards Iñigo Barreira CEO StartCom CA Limited From: Alex Gaynor [mailto:[email protected]] Sent: viernes, 15 de septiembre de 2017 16:32 To: Inigo Barreira <[email protected]> Cc: Gervase Markham <[email protected]>; James Burton <[email protected]>; [email protected] Subject: Re: FW: StartCom inclusion request: next steps I'm fairly confused by your answers, if the only thing you tested in production was CT, why was the system issuing non-compliant certs? Why did production CT testing come before having established, tested, and verified a compliant certificate profile? Alex On Fri, Sep 15, 2017 at 10:35 AM, Inigo Barreira via dev-security-policy <[email protected] <mailto:[email protected]> > wrote: > On 15/09/17 11:01, Inigo Barreira wrote: > > Considering that we were distrusted, that we didn´t reapply for > > inclussion, that CT is only required by Chrome and it´s not included > > in the Mozilla policy (even we were requested that all of our certs > > had to be CT logged) nor required by Firefox, that those certs were > > under our control all the time and lived for some minutes because were > > revoked inmediately, at that time, when we did it, we didn´t expect > > this reaction for sure. > > But surely CT testing is not the only sort of testing you've been doing? Yes, this is the only test we did it in production > E.g. you made some test certificates with different types of ECC curve, which > you then had to revoke some of as against browser policies. No, those weren´t tests. We allowed the use of curves permitted by the BRs but this issue came up in the mozilla policy (I think Arkadiusz posted) and I also asked about it in the last CABF F2F (I asked Ryan about it) and then, with that outcome and as the browsers didn´t accept them, we revoked and then not allow the issuance. I think the discussion is still active (i.e. the use of P-521). > If these had been in a testing hierarchy there would have been no problem. > > CAs have been heavily criticised over the past few years for issuing test > certificates in public hierarchies (see e.g. Symantec). The danger of doing so > should be well known to all CAs by now. Yes, I know. But the only testing we did in production was the one related to the CT. > > Perhaps once a test has been passed and checked in a testing system, and if > the certificates concerned do not violate any policies, it could be repeated > on > a production system to deal with any possible differences between the two. > But starting with the production system is not a good idea. True, but it seems you´re understanding that we have only a production system in which we test everything and this is not the case. Before moving anything into production, we have tested in development and in the QA system. > > Gerv _______________________________________________ dev-security-policy mailing list [email protected] <mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
