On Wed, Aug 22, 2018 at 2:10 AM josselin.allemandou--- via dev-security-policy <[email protected]> wrote:
> > > ---------------------------------------------------------------------------- > CPS Section 4.2.1: If the request is valid and allows to obtain with > accuracy the authorization to issue the certificate by a legal > representative of the entity which is owner of the domain names, the CA > authorizes itself to issue the certificate even if the CA is not present in > the list of authorized CA. > This appears to directly contravene BR Section 3.2.2.8, which specifies > the following 3 scenarios in which a CA can issue a certificate despite not > appearing in the CAA record: > • CAA checking is optional for certificates for which a Certificate > Transparency pre-certificate was created and logged in at least two public > logs, and for which CAA was checked. Forum Guideline Baseline Requirements, > v. 1.6.0 21 > > • CAA checking is optional for certificates issued by a Technically > Constrained Subordinate CA Certificate as set out in Baseline Requirements > section 7.1.5, where the lack of CAA checking is an explicit contractual > provision in the contract with the Applicant. > > • CAA checking is optional if the CA or an Affiliate of the CA is the DNS > Operator (as defined in RFC 7719) of the domain's DNS. > > -> Indeed, we were operating up to now a control with an alert and a > notification to the applicant (pointing on this page > https://www.certigna.fr/dns-caa.xhtml) to add us in the field CAA if that > It is present, but it was not blocking for the request because we > considered that having a signed authorization of the legal representative > was sufficient even if the applicant not having updated the CAA > registration. > > > This response implies that Certigna has misissued certificates that failed CAA validation. I have opened a bug [1] asking Certigna to identify and remediate these certificates, and to file an incident report. > > Now, our control processes foresee that the certificate request is blocked > notably in the following cases: > - The CAA DNS field is present, it contains an "issue" or "issuewild" tag > and it does not list Certigna as an authorized CA. > - The CAA DNS field is present, designed as critical and the tag used is > not supported by the CA (so if it is not an "issue" or "issuewild"). > > We will be releasing the CP / CPS update to clarify these practices being > implemented now. If this is enough for you, we will immediately publish the > documents. > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1485413 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
