On Fri, Mar 2, 2018 at 3:47 PM, David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:
>
>         [snipped]
>
> NOTE: The fact that I have snipped some of the items under "==Bad=="
> does not mean I consider them unimportant. However, the items on
> which I comment I consider to be most important.
>
> > ==Bad==
> > * The inclusion request references a much older CPS [3] that doesn't list
> > the 2016 versions of these roots or comply with current policies. I only
> > reviewed the newer CPS [5], but this CPS (section 1.2.1) doesn't cover
> the
> > older roots that are currently included. I believe this is a compliance
> > issue with the currently included AC Camerfirma roots.
>
> Is the above not sufficient to terminate the public review?
>
> My comment may be confusing. The newer CPS specifically covers the roots
we're discussing, and the CPS is compliant with policy with the exception
of things noted in other comments. I would like Camerfirma to comment on my
conclusion about the older CPS and it's applicability to the older roots.

        [snipped]
>
> > * Last year, Camerfirma signed a contract with StartCom as a delegated
> RA.
> > While I don’t believe the Startcom distrust plan [2] specifically forbade
> > this, it was found that Camerfirma was not performing domain validation
> on
> > the OV certificates [4] as required by the BRs.
>
> I would strongly suggest that further action be deferred until the cited
> contract can be confirmed to have been terminated.
>
> I would like to hear from Camerfirma on this, but StartCom did announce
that they have "terminated the company":
https://groups.google.com/d/msg/mozilla.dev.security.policy/DxbMjAN7VbY/VJ0W9LQhBwAJ


>         [snipped]
>
> > * There are a few published, misissued, and currently unrevoked
> > certificates in the CCR2016 hierarchy:
> > https://crt.sh/?caid=50473&opt=cablint,zlint,x509lint&;
> minNotBefore=2011-01-01
>
> If Camerfirma had been already approved and its root added to the RSS
> database, would not the above item be sufficient to remove that root?
>
> It would be treated as an incident, but in isolation seems unlikely to
rise to the level of root removal.

        [snipped]
> --
> David E. Ross
> <http://www.rossde.com/>
>
> President Trump:  Please stop using Twitter.  We need
> to hear your voice and see you talking.  We need to know
> when your message is really your own and not your attorney's.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to