One of the non-technically-constrained intermediate certificates on the list 
[2] below is issued by Buypass and this was revoked today - see 

This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v 
2.5 [1] - as specified in Action 1 of November 2017 CA Communication: "By April 
15, 2018, all intermediate certificates (that chain up to root certificates 
included in Mozilla's program) that are capable of issuing S/MIME certificates 
but are not name constrained must be either audited and disclosed in the Common 
CA Database, or be revoked".

Please let me know if any further action(s) are required from our side. 


-----Original Message-----
From: dev-security-policy 
<dev-security-policy-bounces+mads.henriksveen=buypass...@lists.mozilla.org> On 
Behalf Of Rob Stradling via dev-security-policy
Sent: tirsdag 16. januar 2018 22:29
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: CCADB disclosure of id-kp-emailProtection intermediates

[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents Mozilla's 
policy and/or current expectations.  Thanks!]

Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the non-disclosure 
(and, IINM, non-audit) of certain non-technically-constrained 
id-kp-emailProtection intermediate certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate certificates 
issued before 22nd June 2017 may, until 15th January 2018..."

According to [2], there are currently 223 non-technically-constrained 
intermediate certificates known to crt.sh that chain to an NSS built-in root 
(that has the Email trust bit set) and are capable of issuing 
id-kp-emailProtection certificates but not id-kp-serverAuthentication 

IIUC, the Mozilla policy now requires these intermediate certificates to have 
already been disclosed to the CCADB and to be audited.


[2] https://crt.sh/mozilla-disclosures#undisclosed

[3] https://crt.sh/mozilla-disclosures#undisclosedsummary

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to