Here's additional information based on questions I've received about what to do if you determine that an intermediate certificate is not listed in an audit statement that it should have been in.

When an intermediate certificate is not listed in all of the necessary audit reports, it is a violation of Mozilla’s Root Store Policy and an incident report[1] must be filed via a Bugzilla Bug which must list the steps your CA is taking to resolve the situation.

For example, it is a violation of section 8 of the CA/Browser Forum Baseline Requirements (BRs) and of Mozilla's Root Store Policy when there have been no BR audits for an intermediate certificate that is not technically constrained[2] via Extended Key Usage (EKU) and Name Constraints (and chains up to a root certificate that has the Websites trust bit enabled in Mozilla’s program).

Each copy or doppelganger (same Subject+SPKI) intermediate certificate must have their SHA-256 Fingerprint listed in appropriate audit statements, according to each of their EKU or inherited trust (Derived Trust Bits). Certificates that are cross-signed versions of a root certificate also must have their SHA-256 Fingerprints specifically listed in the applicable audit statements, because these are also intermediate certificates.

Acceptable remediation for an intermediate certificate missing BR audits may include one or more of the following:

1. Have your auditor issue a revised report that includes the intermediate certificate. Note that if the certificate has been in existence for multiple past audit periods, this will not be considered a full remediation unless new reports are supplied for all of those periods in which the certificate did not appear on the original reports.

2. Revoke the intermediate certificate in accordance with BR section 4.9.
If your CA decides not to revoke the certificate within the timeline specified by the BRs, then that is another incident, which must also be addressed in an Incident Report. Note that this may be handled in the same Bugzilla bug regarding the missing audits.

3. If the intermediate certificate is technically capable but not intended for TLS issuance, and revocation is not imminent, you may request that Mozilla add it to OneCRL by adding a comment to the Bugzilla bug with the request and sending email to me. Note: While adding the certificate to OneCRL satisfies Mozilla's expectations for remediation, it may not satisfy other root store programs. You are advised to seek their guidance on this issue.



dev-security-policy mailing list

Reply via email to