On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:

        [snipped]

NOTE: The fact that I have snipped some of the items under "==Bad=="
does not mean I consider them unimportant. However, the items on
which I comment I consider to be most important.

> ==Bad==
> * The inclusion request references a much older CPS [3] that doesn't list
> the 2016 versions of these roots or comply with current policies. I only
> reviewed the newer CPS [5], but this CPS (section 1.2.1) doesn't cover the
> older roots that are currently included. I believe this is a compliance
> issue with the currently included AC Camerfirma roots.

Is the above not sufficient to terminate the public review?

        [snipped]

> * Last year, Camerfirma signed a contract with StartCom as a delegated RA.
> While I don’t believe the Startcom distrust plan [2] specifically forbade
> this, it was found that Camerfirma was not performing domain validation on
> the OV certificates [4] as required by the BRs.  

I would strongly suggest that further action be deferred until the cited
contract can be confirmed to have been terminated.

        [snipped]

> * There are a few published, misissued, and currently unrevoked
> certificates in the CCR2016 hierarchy:
> https://crt.sh/?caid=50473&opt=cablint,zlint,x509lint&minNotBefore=2011-01-01

If Camerfirma had been already approved and its root added to the RSS
database, would not the above item be sufficient to remove that root?

        [snipped]
-- 
David E. Ross
<http://www.rossde.com/>

President Trump:  Please stop using Twitter.  We need
to hear your voice and see you talking.  We need to know
when your message is really your own and not your attorney's.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to