On Fri, Dec 8, 2017 at 3:55 PM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > So I wonder: If a CA signs an intermediate - are they responsible > making sure that reports brought to the subca are properly handled? > > The root CA is ultimately responsible for subordinate CAs it has signed. That's why I asked DigiCert for an incident report via https://bugzilla.mozilla.org/show_bug.cgi?id=1424305 Having said that, I do think there are a few opportunities for improvement here. DigiCert couldn't directly revoke the compromised certificates, so I think it makes sense to add problem reporting mechanisms for subordinate CAs to CCADB when they differ from the root. That would also help when the problem reporting mechanism is buried in the CPS or when a general email address is published but there is no indication that it is the one the CA monitors 24x7 for certificate problem reports (both issues apply here). Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy