On Tue, Sep 11, 2018 at 12:37 AM josselin.allemandou--- via dev-security-policy <[email protected]> wrote:
> Hello, > > Thanks Wayne and Devon for your reply. > > We took the time to respond because we wanted to verify through an audit > that the SSL certificate requests processed since September 8th were in > compliance with the CA/B Forum requirements for DNS CAA record checks. > > > Excellent! > > In general, this has been the case, because we have only one case, where > the request was authorized by a Registration Officer, despite the alert > that had been raised on this subject. > > We checked the logs of the controls carried out and re-rolled these > controls on all the SSL certificates issued since September 8th and confirm > that only this certificate was the object of a failure. We have created an > incident as required (see URL: > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/mVD1QoGXBOQ) > for this certificate which has not yet been deployed and used by the > applicant. I confirm that we proceeded to the revocation of this > certificate which is now included in our CRL with the following serial > number: 476abeb2bc78d588ef4b8f27dbd25f6a (see > http://crl.certigna.fr/servicesca.crl). > > Note that this incident will not be able to happen again by means of our > new practices that automatically block and without possible bypass by the > RA, any certificate request for which the DNS CAA record controls induce > that the CA is not allowed to issue. These practices are described in the > latest updated versions of our CP/CPS. > > > I will respond to this in the separate thread for the incident report. > > We have updated our CPs and CPSs to address the different points reported > by Devon: > - We clarified the roles and controls performed by the RA and the > DRAs; > - We updated the practices implemented for the control of DNS CAA > records; > - We have specified the conditions of generation and signature of > certificates by the root CA. As a reminder, these certificates are > exclusively reserved for the intermediary authorities of our organization > and are handled through Key Ceremonies involving several trusted roles > knowing that our root CAs are Offline, and are not intended for customers > request. > > Could you tell us if you would like additional information and if these > provided to CP/CPS are sufficient for you? > > > Devon confirmed to me that he is satisfied with these updates. > > Thanking you in advance for your help and your reply. > > Best regards > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
