When Rob Stradling announced the excellent addition of the "inconsistent
Audit details" and Inconsistent CP/CPS Details" sections to the crt.sh
Mozilla CA Certificate Disclosures report [1], we discovered some
inconsistencies between Mozilla's expectations and CCADB policy [2]. To
correct this, the following list of exceptions to providing audit
information *for intermediate certs* has been added to the policy:

   - The SHA-256 fingerprint of the certificate is specifically listed as
   in scope in the audit statements of the parent certificate, and the “Audits
   Same as Parent” checkbox is checked; or
   - The certificate has expired; or
   - The certificate is technically-constrained as described in section
   7.1.5 of the CA/Browser Forum Baseline Requirements, or
   - The certificate has been revoked, and the corresponding record in the
   CCADB has been updated with the correct revocation status.

This change is captured in CCADB policy issues #30 [3] and #31 [4].

- Wayne

[1] https://crt.sh/mozilla-disclosures
[2] https://www.ccadb.org/policy#5-policies-practices-and-audit-information
[3] https://github.com/mozilla/www.ccadb.org/issues/30
[4] https://github.com/mozilla/www.ccadb.org/issues/31
dev-security-policy mailing list

Reply via email to