On Wed, Oct 24, 2018 at 3:02 PM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 10/24/2018 1:07 PM, Wayne Thayer wrote: > > On Tue, Oct 23, 2018 at 1:46 PM David E. Ross via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On 10/23/2018 11:45 AM, Wayne Thayer wrote: > >>> I believe that the discussion over Certigna's reported CAA misissuance > >>> [1][2] has reached an end, even though some questions remain > unanswered. > >> If > >>> anyone has additional comments or concerns about this inclusion > request, > >>> please respond by Friday 26-October. This request [3] has been in > >>> discussion since April 2017 and I would like to bring it to a > conclusion > >>> soon. > >>> > >>> - Wayne > >>> > >>> [1] > >>> > >> > https://groups.google.com/d/msg/mozilla.dev.security.policy/mVD1QoGXBOQ/EkYklywRBAAJ > >>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485413 > >>> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1265683 > >>> > >> > >> If there remain unresolved issues, should not approval be withheld? > >> > >> Certigna has completed their remediation, but a large number of > questions > > were asked during the discussion of the misissuance. I think it is fair > to > > say that Certigna was unwilling or unable to answer many of them, and > when > > this became apparent, I asked for the questioning to stop. Therefore, I > > consider the issue to be resolved, but not necessarily resolved to our > > satisfaction. > > > > If Mozilla is not satisfied with how the misissuance was resolved, why > would the root be included in Mozilla's NSS? > > It's fairly common for a CA to fail to meet our expectations for root cause analysis, and I suspect that we would tolerate this one if it had been discovered, say, a year ago rather than during the inclusion discussion. I'm not arguing for ignoring it, but when I consider the entirety of the evidence presented, it's not obvious to me that this should be rejected either. That's part of the reason why I asked for additional comments. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy