(Writing in an official capacity for the Google/Chrome Root Program) There are still a remarkable number of CAs that have not filed incident reports and not yet remediated this issue.
A reminder, the Baseline Requirements, Section 8.1, states: > Certificates that are capable of being used to issue new certificates MUST > either be Technically Constrained in line > with section 7.1.5 and audited in line with section 8.7 only, or > Unconstrained and fully audited in line with all > remaining requirements from this section. > > *A Certificate is deemed as capable of being used to issue new > certificatesif it contains an X.509v3 basicConstraints extension, with the > cA boolean set to true and is therefore by definition aRoot CA Certificate > or a Subordinate CA Certificate*. Section 8.6 requires that this audit report be public. Section 2.2 of the BRs includes the following: > The CA SHALL publicly give effect to these Requirements and represent that > it will adhere to the latest > published version Section 4.9.1.2 of the BRs includes the following: > The Issuing CA SHALL revoke a Subordinate CA Certificate within seven (7) > days if one or more of the > following occurs: 5. The Issuing CA is made aware that the Certificate was not issued in > accordance with or that > Subordinate CA has not complied with this document or the applicable > Certificate Policy or Certification > Practice Statement; The failure to provide public audit statements that give effect to the coverage of these certificates, in scope of the BRs by definition, is a violation of the BRs, and ergo a violation of a CA's CP/CPS, and *MUST* be revoked. Our expectation is that CAs will be filing incident reports for: 1) The failure to include and document as in-scope within the relevant audit 2) If the CA fails to revoke within the time period required by the BRs, the failure to revoke within the BR time period As two separate reports. We encourage CAs to carefully examine these reports and provide updates as to their planned revocations. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
