Here's additional information based on questions I've received about
what to do if you determine that an intermediate certificate is not
listed in an audit statement that it should have been in.
When an intermediate certificate is not listed in all of the necessary
audit reports, it is a violation of Mozilla’s Root Store Policy and an
incident report must be filed via a Bugzilla Bug which must list the
steps your CA is taking to resolve the situation.
For example, it is a violation of section 8 of the CA/Browser Forum
Baseline Requirements (BRs) and of Mozilla's Root Store Policy when
there have been no BR audits for an intermediate certificate that is not
technically constrained via Extended Key Usage (EKU) and Name
Constraints (and chains up to a root certificate that has the Websites
trust bit enabled in Mozilla’s program).
Each copy or doppelganger (same Subject+SPKI) intermediate certificate
must have their SHA-256 Fingerprint listed in appropriate audit
statements, according to each of their EKU or inherited trust (Derived
Trust Bits). Certificates that are cross-signed versions of a root
certificate also must have their SHA-256 Fingerprints specifically
listed in the applicable audit statements, because these are also
Acceptable remediation for an intermediate certificate missing BR audits
may include one or more of the following:
1. Have your auditor issue a revised report that includes the
intermediate certificate. Note that if the certificate has been in
existence for multiple past audit periods, this will not be considered a
full remediation unless new reports are supplied for all of those
periods in which the certificate did not appear on the original reports.
2. Revoke the intermediate certificate in accordance with BR section 4.9.
If your CA decides not to revoke the certificate within the timeline
specified by the BRs, then that is another incident, which must also be
addressed in an Incident Report. Note that this may be handled in the
same Bugzilla bug regarding the missing audits.
3. If the intermediate certificate is technically capable but not
intended for TLS issuance, and revocation is not imminent, you may
request that Mozilla add it to OneCRL by adding a comment to the
Bugzilla bug with the request and sending email to me.
Note: While adding the certificate to OneCRL satisfies Mozilla's
expectations for remediation, it may not satisfy other root store
programs. You are advised to seek their guidance on this issue.
dev-security-policy mailing list