Deloitte Anjin did the WebTrust audit for South Korea GPKI(Government Public Key Infrastructure).
they audited two organization "Ministry of the Interior" and "Ministry of the Education" buy they did not follow CA/B Forum BR.. they issued certificate without domain validaion. ex) www.testssl.com they issued certificate to TLD domain(public suffix). ex) *.ac.kr which is public suffix list. audit report of Deloitte Anjin say's "everythins is OK" for 2 years (2016, 2017) https://bugs.chromium.org/p/chromium/issues/detail?id=823665 GPKI(MOI) 2017 https://cert.webtrust.org/ViewSeal?id=2183 https://cert.webtrust.org/ViewSeal?id=2184 EPKI(MOE) 2017 https://cert.webtrust.org/ViewSeal?id=2260 https://cert.webtrust.org/ViewSeal?id=2259 GPKI(MOI) 2016 https://cert.webtrust.org/ViewSeal?id=1923 https://cert.webtrust.org/ViewSeal?id=1924 related bug : https://bugzilla.mozilla.org/show_bug.cgi?id=1451235 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy