Hi One of the non-technically-constrained intermediate certificates on the list [2] below is issued by Buypass and this was revoked today - see https://crt.sh/?id=157337628.
This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v 2.5 [1] - as specified in Action 1 of November 2017 CA Communication: "By April 15, 2018, all intermediate certificates (that chain up to root certificates included in Mozilla's program) that are capable of issuing S/MIME certificates but are not name constrained must be either audited and disclosed in the Common CA Database, or be revoked". Please let me know if any further action(s) are required from our side. Regards Mads -----Original Message----- From: dev-security-policy <dev-security-policy-bounces+mads.henriksveen=buypass...@lists.mozilla.org> On Behalf Of Rob Stradling via dev-security-policy Sent: tirsdag 16. januar 2018 22:29 To: [email protected] Subject: CCADB disclosure of id-kp-emailProtection intermediates [Kathleen, Gerv, Wayne: Please correct me if this post misrepresents Mozilla's policy and/or current expectations. Thanks!] Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the non-disclosure (and, IINM, non-audit) of certain non-technically-constrained id-kp-emailProtection intermediate certificates...until yesterday: "Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018..." According to [2], there are currently 223 non-technically-constrained intermediate certificates known to crt.sh that chain to an NSS built-in root (that has the Email trust bit set) and are capable of issuing id-kp-emailProtection certificates but not id-kp-serverAuthentication certificates. IIUC, the Mozilla policy now requires these intermediate certificates to have already been disclosed to the CCADB and to be audited. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained [2] https://crt.sh/mozilla-disclosures#undisclosed [3] https://crt.sh/mozilla-disclosures#undisclosedsummary -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
