On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:


NOTE: The fact that I have snipped some of the items under "==Bad=="
does not mean I consider them unimportant. However, the items on
which I comment I consider to be most important.

> ==Bad==
> * The inclusion request references a much older CPS [3] that doesn't list
> the 2016 versions of these roots or comply with current policies. I only
> reviewed the newer CPS [5], but this CPS (section 1.2.1) doesn't cover the
> older roots that are currently included. I believe this is a compliance
> issue with the currently included AC Camerfirma roots.

Is the above not sufficient to terminate the public review?


> * Last year, Camerfirma signed a contract with StartCom as a delegated RA.
> While I don’t believe the Startcom distrust plan [2] specifically forbade
> this, it was found that Camerfirma was not performing domain validation on
> the OV certificates [4] as required by the BRs.  

I would strongly suggest that further action be deferred until the cited
contract can be confirmed to have been terminated.


> * There are a few published, misissued, and currently unrevoked
> certificates in the CCR2016 hierarchy:
> https://crt.sh/?caid=50473&opt=cablint,zlint,x509lint&minNotBefore=2011-01-01

If Camerfirma had been already approved and its root added to the RSS
database, would not the above item be sufficient to remove that root?

David E. Ross

President Trump:  Please stop using Twitter.  We need
to hear your voice and see you talking.  We need to know
when your message is really your own and not your attorney's.
dev-security-policy mailing list

Reply via email to