On Thursday, September 21, 2017 at 11:23:28 AM UTC-5, Gervase Markham wrote: > The CA Certificates module owner and peers have come to a decision > regarding our investigations into the activities of the CA "PROCERT". > > A large number of issues were raised regarding the operations and > practices of this CA: > https://wiki.mozilla.org/CA:PROCERT_Issues > > Considering them, it seems clear to us that PROCERT have not been, and > continue not to be, adequately aware of the requirements placed upon > them by various RFCs, the CA/Browser Forum's Baseline Requirements, and > Mozilla Root Store Policy. They have not demonstrated sufficient control > of their issuance pipeline or sufficient checking of the results to > avoid regularly creating certificates which violate the requirements of > one or more of those documents. PROCERT have also made assurances to us, > via responses to CA Communications, that certain things were true which > are manifestly not so (e.g. that they were using properly-randomized > serial numbers). > > In addition, PROCERT's response to these issues was inadequate. While > they revoked (most, but not all, of) the certificates which were flagged > as problematic, their written responses have been limited in number and > are very superficial. In some cases, it is clear that they have not > understood the issue that was raised. They have not, to our knowledge, > performed any root cause analysis which might allow us to have some > confidence that problems of this or a similar nature will not recur. We > have very little insight into their systems and what, if any, safeguards > they have in place. > > It seems that PROCERT's belief is that revocation is an adequate remedy > for all of the problems listed. We disagree. Therefore, we feel we can > no longer trust PROCERT, and plan to proceed with removing their > "PSPProcert" certificate from our root program and root store. > > Kathleen Wilson > Gervase Markham > Ryan Sleevi
Will there be any sort of deprecation period for PROCERT certificates as with StartCom/Wosign & Symantec? Or is PROCERT small enough that you believe it's feasible to just immediately distrust them without any significant negative impact on the overall web ecosystem? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
