I have confirmed that the problems identified with the CPS have been corrected. [1]
Regarding the comments from Ian on the BR violations in 2016 that resulted in adding an intermediate to OneCRL [2], this appears to have been the result of the belief that was held by many CAs at that time that only certificates "intended" to be used for serverAuth were subject to BR requirements. That doesn't excuse the very serious threat that was posed by Hongkong Post's issuance of SHA-1 certificates with sequential serial numbers that were valid for serverAuth. Hongkong Post has provided an incident report and answered follow-up questions in the bug [3] documenting the failure to report misissued certificates. Hongkong Post states that they are currently performing post-issuance linting on a monthly basis. They plan to implement pre-issuance linting as soon as their CA software vendor supports it. The bug will remain open until that is completed. I would like to make a decision next week on how to proceed with this request. Please post any additional comments or concerns by Wednesday 20-February. - Wayne [1] https://www.ecert.gov.hk/product/cps/ecert/img/server_cps_en4.pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1267332 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1520299 On Thu, Jan 31, 2019 at 9:47 PM Man Ho via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We have applied the changes in the current CPS, please see > https://www.ecert.gov.hk/product/cps/ecert/img/server_cps_en4.pdf > > So, the "Pre-production" CPS will be advanced to version 5, that will > replace the current CPS after Mozilla community discussion. > > If any member has other comments, you're welcome to bring it out. :) > > > On 17-Jan-19 10:25 AM, Man Ho via dev-security-policy wrote: > > Thanks for all the comments. I'm preparing now to apply the relevant > changes from the "Pre-production" CPS in the current CPS to clarify > these concerns. Specifically, > > 1. correct the description of revocation process to fix the suspension > and revocation issue. > > 2. make a statement in PREAMBLE that "...HKPost to appoint Registration > Authorities (RAs) as its agents to carry out certain of the functions of > HKPost as a Recognized CA as set out in this CPS, except the functions > of domain name validation." > > 3. modify section 4.9.1 to include all revocation reasons required by BR > 4.9.1.1 > > Please note that this update to the current CPS will advance the version > of current CPS from version 3 to version 4. So, the "Pre-production" CPS > will be version 5, replacing the current CPS. > > If any member has other comments, you're welcome to bring it out. > > > On 16-Jan-19 5:30 AM, Wayne Thayer via dev-security-policy wrote: > > > I think you and David are also suggesting that the CPS for existing roots > must be updated to fix the suspension and revocation issues listed under > "bad", and to clarify the external RA concern listed under "meh". > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto: > dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy