True. I can tell you our process was not followed in this case, primarily because of the Symantec transaction.
Ideally, when we add new products (or when a CAB Forum requirement changes), we: 1. Add the mandatory criteria to our compliance engine 2. Add the new cert to our issuing CA 3. Add the validation requirements in validation service 4. Train the staff on the new product/service 5. Enable access via the API and GUI For the most part compliance takes place in two areas (in our updated system). First in the compliance engine for all things technical. Second in the validation service for all validation requirements. On the onion cert issue, we only did #2 and #4. From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org> On Behalf Of Nick Lamb via dev-security-policy Sent: Thursday, March 22, 2018 9:31 AM To: [email protected] Subject: Re: DigiCert .onion certificates without Tor Service Descriptor Hash extension On 21 Mar 2018 17:58, Wayne Thayer via dev-security-policy <[email protected] <mailto:[email protected]> > wrote: 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. We revoked the certificates and added preliminary checking for Tor descriptors. We are adding additional checks to ensure certs cannot issue without them. A broader consideration might be how DigiCert (or any CA) can ensure such checks get thought up / planned for during the process of spinning up a new type of issuance. Imagine the CA/B eventually authorizes some hypothetical new "MV" certificates, they are Web PKI certs but with some different (less / more / just strange) validation and criteria for the cert itself. Obviously we cannot plan today for how this should be done exactly, but a CA thinking of issuing MV ought to - as part of that - figure out what needs to happen in terms of preventing mis-issuance of the new certs. Otherwise we're inevitably back here shortly after the CA/B says OK.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
