On Fri, Mar 2, 2018 at 3:47 PM, David E. Ross via dev-security-policy <
> On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:
> NOTE: The fact that I have snipped some of the items under "==Bad=="
> does not mean I consider them unimportant. However, the items on
> which I comment I consider to be most important.
> > ==Bad==
> > * The inclusion request references a much older CPS  that doesn't list
> > the 2016 versions of these roots or comply with current policies. I only
> > reviewed the newer CPS , but this CPS (section 1.2.1) doesn't cover
> > older roots that are currently included. I believe this is a compliance
> > issue with the currently included AC Camerfirma roots.
> Is the above not sufficient to terminate the public review?
> My comment may be confusing. The newer CPS specifically covers the roots
we're discussing, and the CPS is compliant with policy with the exception
of things noted in other comments. I would like Camerfirma to comment on my
conclusion about the older CPS and it's applicability to the older roots.
> > * Last year, Camerfirma signed a contract with StartCom as a delegated
> > While I don’t believe the Startcom distrust plan  specifically forbade
> > this, it was found that Camerfirma was not performing domain validation
> > the OV certificates  as required by the BRs.
> I would strongly suggest that further action be deferred until the cited
> contract can be confirmed to have been terminated.
> I would like to hear from Camerfirma on this, but StartCom did announce
that they have "terminated the company":
> > * There are a few published, misissued, and currently unrevoked
> > certificates in the CCR2016 hierarchy:
> > https://crt.sh/?caid=50473&opt=cablint,zlint,x509lint&
> If Camerfirma had been already approved and its root added to the RSS
> database, would not the above item be sufficient to remove that root?
> It would be treated as an incident, but in isolation seems unlikely to
rise to the level of root removal.
> David E. Ross
> President Trump: Please stop using Twitter. We need
> to hear your voice and see you talking. We need to know
> when your message is really your own and not your attorney's.
> dev-security-policy mailing list
dev-security-policy mailing list