On 8/31/2018 4:19 PM, Wayne Thayer wrote [in part]: > * A few unrevoked certificates with IP Addresses encoded as DNSName type in > the SAN [4]. I reported these to SHECA in this bug and they said that they > would revoke them, but as of this writing they are still valid.
This public comment period should be extended until the affected certificates are indeed revoked. > * Version 1.3 of the Global G2 Root CP and version 3.6 of the Global G2 > Root CPS were published more than a year after the prior versions in > violation of Mozilla policy section 3.3. How do we know this will not happen again? > * The CP/CPS documents contain version histories, but they didn’t describe > what changed in each version. SHECA began including this information in the > latest versions of these documents. Have the version histories been fixed to include all prior changes? How do we know this will not happen again? > * The non-EV CP and CPS section 6.1 seem to permit CA generation of key > pairs for SSL certificates in violation of section 5.2 of Mozilla policy. > SHECA states that they have never generated key pairs for Subscribers and > revised this section of the CPS, but my interpretation is that the revision > does not forbid SHECA from generating subscriber key pairs. This public comment period should be extended until the affected documents make this clear enough to support an audit that verifies key pairs are not be generated. No, I am not suggesting that such an audit is required at this time. I am merely saying that the documents must provide clear, objective statements against which an auditor can determine if the Mozilla policy is being followed. -- David E. Ross <http://www.rossde.com> Too often, Twitter is a source of verbal vomit. Examples include Donald Trump, Roseanne Barr, and Elon Musk. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
