Hi Gerv > > But once the cross-signed cert is publicly available (and it is; it's in CT, > however it got there), all of those certificates become trusted (or > potentially > trusted, if the owner reconfigures their webserver to serve the intermediate, > or if Firefox has already encountered it in the current browsing session). >
True
> > This is something I don´t understand. Why do you say the audits I
> > presented don´t meet the BRs? Because of the findings? The auditors
> > indicate those were fixed
>
> I don't believe there's a formal way for an auditor to bindingly say "by the
> way, the problems we found have since been fixed" in an audit report.
Not bindingly, we provided a CAP (Corrective Action Plan) for all those
findings indicated what we did to fix them and provided the evidences and what
we were going to do for those that couldn´t be fixed before receiving the
report.
> But to help me understand: exactly what statement on what page of your audit
> report(s) are you referring to here?
It´s in a section called "other questions" in which they say "Startcom has
developed a plan of corrective actions with the objective of solving the
identified exceptions, having been implemented the majority of these actions".
>
> > About the remediation steps, well, I answered the bug about it providing all
> the info and yes, you haven´t answered yet nor to approve nor to deny.
>
> Right. So why are you proceeding?
>
> You might reasonably complain it's taken us a while to respond to that
> comment about the steps. Yes, it has. The Mozilla inclusion process is slow.
> :-(
Well, because I wanted to speed up the process if possible. We did everything
what was requested and replied the bug. And also applied for the inclussion and
none said nothing about it. Kathleen told me that it was going to be slow
because the queue was long so I was waiting, no problem, but didn´t know that
need to ask permission for applying.
>
> >>> In fact, recently, I asked for permission to use the Certinomis
> >>> cross-signed
> >> certificates and have no response. I don´t know if this is an
> >> administrative silence which may allow me to use it but until having
> >> a clear direction we haven´t used it.
> >>
> >> Can you remind me how you asked and when?
> >
> > It was in an email of sept 4th, titled "StartCom communication" in
> > which at the end of the long email I asked for feedback to use the
> > cross-signed certificates and give additional explanations
>
> I have no record of any email with that title, or any email from you between
> 15th August ("Re: Problem Reporting Mechanism") and 11th September ("Re:
> Remove old Startcom roots from NSS"). Where did you send it?
I sent it to the m.d.s.p list and got a reply from Andrew Ayer almost
inmediately.
>
> Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
