On 10/29/19 12:46 PM, Kathleen Wilson wrote:
When an intermediate certificate is not listed in all of the necessary
audit reports, it is a violation of Mozilla’s Root Store Policy and an
incident report must be filed via a Bugzilla Bug which must list the
steps your CA is taking to resolve the situation.
For example, it is a violation of section 8 of the CA/Browser Forum
Baseline Requirements (BRs) and of Mozilla's Root Store Policy when
there have been no BR audits for an intermediate certificate that is not
technically constrained via Extended Key Usage (EKU) and Name
Constraints (and chains up to a root certificate that has the Websites
trust bit enabled in Mozilla’s program).
Each copy or doppelganger (same Subject+SPKI) intermediate certificate
must have their SHA-256 Fingerprint listed in appropriate audit
statements, according to each of their EKU or inherited trust (Derived
Trust Bits). Certificates that are cross-signed versions of a root
certificate also must have their SHA-256 Fingerprints specifically
listed in the applicable audit statements, because these are also
Email that I wrote years ago should NOT be considered as granting anyone
exceptions to following the current version of the BRs and Mozilla's
root store policy.
It is the CA's responsibility to resolve problems that they were aware
of years ago, but which are no longer acceptable. Things have changed,
policies have changed, ability to identify problems and enforce policy
CAs should have been keeping track of and resolving their own known
problems in regards to not fully following the BRs and Mozilla policy.
For example, I expect that a situation in which I responded with an OK
in 2016 would have been corrected in the 3 years since that email was
dev-security-policy mailing list