I believe that the discussion over Certigna's reported CAA misissuance [1][2] has reached an end, even though some questions remain unanswered. If anyone has additional comments or concerns about this inclusion request, please respond by Friday 26-October. This request [3] has been in discussion since April 2017 and I would like to bring it to a conclusion soon.
- Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/mVD1QoGXBOQ/EkYklywRBAAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485413 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1265683 On Wed, Sep 12, 2018 at 11:44 PM Wayne Thayer <[email protected]> wrote: > On Tue, Sep 11, 2018 at 12:37 AM josselin.allemandou--- via > dev-security-policy <[email protected]> wrote: > >> Hello, >> >> Thanks Wayne and Devon for your reply. >> >> We took the time to respond because we wanted to verify through an audit >> that the SSL certificate requests processed since September 8th were in >> compliance with the CA/B Forum requirements for DNS CAA record checks. >> >> > > Excellent! > > > >> In general, this has been the case, because we have only one case, where >> the request was authorized by a Registration Officer, despite the alert >> that had been raised on this subject. >> >> We checked the logs of the controls carried out and re-rolled these >> controls on all the SSL certificates issued since September 8th and confirm >> that only this certificate was the object of a failure. We have created an >> incident as required (see URL: >> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/mVD1QoGXBOQ) >> for this certificate which has not yet been deployed and used by the >> applicant. I confirm that we proceeded to the revocation of this >> certificate which is now included in our CRL with the following serial >> number: 476abeb2bc78d588ef4b8f27dbd25f6a (see >> http://crl.certigna.fr/servicesca.crl). >> >> Note that this incident will not be able to happen again by means of our >> new practices that automatically block and without possible bypass by the >> RA, any certificate request for which the DNS CAA record controls induce >> that the CA is not allowed to issue. These practices are described in the >> latest updated versions of our CP/CPS. >> >> > > I will respond to this in the separate thread for the incident report. > > > >> We have updated our CPs and CPSs to address the different points reported >> by Devon: >> - We clarified the roles and controls performed by the RA and the >> DRAs; >> - We updated the practices implemented for the control of DNS CAA >> records; >> - We have specified the conditions of generation and signature of >> certificates by the root CA. As a reminder, these certificates are >> exclusively reserved for the intermediary authorities of our organization >> and are handled through Key Ceremonies involving several trusted roles >> knowing that our root CAs are Offline, and are not intended for customers >> request. >> >> Could you tell us if you would like additional information and if these >> provided to CP/CPS are sufficient for you? >> >> > > Devon confirmed to me that he is satisfied with these updates. > > > >> Thanking you in advance for your help and your reply. >> >> Best regards >> >> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
