[ Please reply to list, Mozilla NNTP<->mail gateway seems to insert wrong Reply-To ]
It appears from the data that SwissSign has reacted to the requirement by starting to log some of their existing intermediaries in CT, instead of in CCADB. At least at a cursory glance. On 09/10/2018 12:43, Rob Stradling wrote:
"ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs of the Mozilla Root Store Policy requirement [2] that non-technically-constrained intermediate CA certificates... "MUST be publicly disclosed in the CCADB by the CA that has their certificate included in Mozilla's root program. The CA with a certificate included in Mozilla's root program MUST disclose this information within a week of certificate creation, and before any such subordinate CA is allowed to issue certificates." In their responses to "ACTION 6" [3], most CAs indicated that... "We are aware of the requirements for intermediate certificate disclosure and have processes in place to ensure that these requirements are met" There are currently 20 undisclosed non-technically-constrained intermediates, belonging to 6 Root Owners, on "Rob's naughty list" [4] (snapshot at [5]). All 20 were undisclosed and listed (on [4]) on the day the responses to [1] were due (September 30th), which means that they have not been disclosed "within a week of certificate creation". So, ISTM that the "processes in place to ensure that these requirements are met" are insufficient/broken for at least the following Root Owners: - Certicámara - DigiCert - DocuSign (OpenTrust/Keynectis) - SECOM Trust Systems CO., LTD. - SwissSign AG - Telia Company (formerly TeliaSonera) Wayne, Kathleen: Given the number of times that all the CAs in Mozilla's Root Program have been reminded about Mozilla's requirements for disclosing intermediate certs, I wouldn't blame you if you decided to add these 20 intermediate certs [5] to OneCRL immediately! [1] https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL [2] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited [3] https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079 [4] https://crt.sh/mozilla-disclosures#undisclosed [5] https://crt.sh/reports/20181009_MozillaDisclosures.html#undisclosed
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy