The CA Certificates module owner and peers have come to a decision regarding our investigations into the activities of the CA "PROCERT".
A large number of issues were raised regarding the operations and practices of this CA: https://wiki.mozilla.org/CA:PROCERT_Issues Considering them, it seems clear to us that PROCERT have not been, and continue not to be, adequately aware of the requirements placed upon them by various RFCs, the CA/Browser Forum's Baseline Requirements, and Mozilla Root Store Policy. They have not demonstrated sufficient control of their issuance pipeline or sufficient checking of the results to avoid regularly creating certificates which violate the requirements of one or more of those documents. PROCERT have also made assurances to us, via responses to CA Communications, that certain things were true which are manifestly not so (e.g. that they were using properly-randomized serial numbers). In addition, PROCERT's response to these issues was inadequate. While they revoked (most, but not all, of) the certificates which were flagged as problematic, their written responses have been limited in number and are very superficial. In some cases, it is clear that they have not understood the issue that was raised. They have not, to our knowledge, performed any root cause analysis which might allow us to have some confidence that problems of this or a similar nature will not recur. We have very little insight into their systems and what, if any, safeguards they have in place. It seems that PROCERT's belief is that revocation is an adequate remedy for all of the problems listed. We disagree. Therefore, we feel we can no longer trust PROCERT, and plan to proceed with removing their "PSPProcert" certificate from our root program and root store. Kathleen Wilson Gervase Markham Ryan Sleevi _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy