Hello, Thanks Wayne and Devon for your reply.
We took the time to respond because we wanted to verify through an audit that the SSL certificate requests processed since September 8th were in compliance with the CA/B Forum requirements for DNS CAA record checks. In general, this has been the case, because we have only one case, where the request was authorized by a Registration Officer, despite the alert that had been raised on this subject. We checked the logs of the controls carried out and re-rolled these controls on all the SSL certificates issued since September 8th and confirm that only this certificate was the object of a failure. We have created an incident as required (see URL: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/mVD1QoGXBOQ) for this certificate which has not yet been deployed and used by the applicant. I confirm that we proceeded to the revocation of this certificate which is now included in our CRL with the following serial number: 476abeb2bc78d588ef4b8f27dbd25f6a (see http://crl.certigna.fr/servicesca.crl). Note that this incident will not be able to happen again by means of our new practices that automatically block and without possible bypass by the RA, any certificate request for which the DNS CAA record controls induce that the CA is not allowed to issue. These practices are described in the latest updated versions of our CP/CPS. We have updated our CPs and CPSs to address the different points reported by Devon: - We clarified the roles and controls performed by the RA and the DRAs; - We updated the practices implemented for the control of DNS CAA records; - We have specified the conditions of generation and signature of certificates by the root CA. As a reminder, these certificates are exclusively reserved for the intermediary authorities of our organization and are handled through Key Ceremonies involving several trusted roles knowing that our root CAs are Offline, and are not intended for customers request. Could you tell us if you would like additional information and if these provided to CP/CPS are sufficient for you? Thanking you in advance for your help and your reply. Best regards _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy