Having received no further comments, I am recommending approval of Certigna's inclusion request.
I would first like to thank Certigna for their patience as this request spent a long time waiting on Mozilla. The disregard for CAB Forum requirements shown by Certigna's CAA exception process is a very serious issue, as is the incomplete response we received from Certigna. If not for the fact that few other issues were identified, and that the CAA requirement is relatively new and apparently not well understood, I may not have recommended approval. Certigna should be aware that any future policy violations will be judged more severely than they might seem given the existence of this CAA misissuance. - Wayne On Wed, Oct 24, 2018 at 4:56 PM Wayne Thayer <[email protected]> wrote: > On Wed, Oct 24, 2018 at 3:02 PM David E. Ross via dev-security-policy < > [email protected]> wrote: > >> On 10/24/2018 1:07 PM, Wayne Thayer wrote: >> > On Tue, Oct 23, 2018 at 1:46 PM David E. Ross via dev-security-policy < >> > [email protected]> wrote: >> > >> >> On 10/23/2018 11:45 AM, Wayne Thayer wrote: >> >>> I believe that the discussion over Certigna's reported CAA misissuance >> >>> [1][2] has reached an end, even though some questions remain >> unanswered. >> >> If >> >>> anyone has additional comments or concerns about this inclusion >> request, >> >>> please respond by Friday 26-October. This request [3] has been in >> >>> discussion since April 2017 and I would like to bring it to a >> conclusion >> >>> soon. >> >>> >> >>> - Wayne >> >>> >> >>> [1] >> >>> >> >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/mVD1QoGXBOQ/EkYklywRBAAJ >> >>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485413 >> >>> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1265683 >> >>> >> >> >> >> If there remain unresolved issues, should not approval be withheld? >> >> >> >> Certigna has completed their remediation, but a large number of >> questions >> > were asked during the discussion of the misissuance. I think it is fair >> to >> > say that Certigna was unwilling or unable to answer many of them, and >> when >> > this became apparent, I asked for the questioning to stop. Therefore, I >> > consider the issue to be resolved, but not necessarily resolved to our >> > satisfaction. >> > >> >> If Mozilla is not satisfied with how the misissuance was resolved, why >> would the root be included in Mozilla's NSS? >> >> It's fairly common for a CA to fail to meet our expectations for root > cause analysis, and I suspect that we would tolerate this one if it had > been discovered, say, a year ago rather than during the inclusion > discussion. I'm not arguing for ignoring it, but when I consider the > entirety of the evidence presented, it's not obvious to me that this should > be rejected either. That's part of the reason why I asked for additional > comments. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
