Having received no further comments, I am recommending approval of Hongkong Post's inclusion request.
As Matt suggested earlier in this thread, I would not typically approve a request for a CA with an open compliance bug, but in this case the bug is open awaiting implementation of pre-issuance linting, something that is not required by our policy. Hongkong Post states that they have implemented post-issuance linting and expect their CA system vendor to support pre-issuance linting within a few months. - Wayne On Fri, Feb 15, 2019 at 11:35 AM Wayne Thayer <wtha...@mozilla.com> wrote: > I have confirmed that the problems identified with the CPS have been > corrected. [1] > > Regarding the comments from Ian on the BR violations in 2016 that resulted > in adding an intermediate to OneCRL [2], this appears to have been the > result of the belief that was held by many CAs at that time that only > certificates "intended" to be used for serverAuth were subject to BR > requirements. That doesn't excuse the very serious threat that was posed by > Hongkong Post's issuance of SHA-1 certificates with sequential serial > numbers that were valid for serverAuth. > > Hongkong Post has provided an incident report and answered follow-up > questions in the bug [3] documenting the failure to report misissued > certificates. Hongkong Post states that they are currently performing > post-issuance linting on a monthly basis. They plan to implement > pre-issuance linting as soon as their CA software vendor supports it. The > bug will remain open until that is completed. > > I would like to make a decision next week on how to proceed with this > request. Please post any additional comments or concerns by Wednesday > 20-February. > > - Wayne > > [1] https://www.ecert.gov.hk/product/cps/ecert/img/server_cps_en4.pdf > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1267332 > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1520299 > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
