On 10/29/19 12:46 PM, Kathleen Wilson wrote:

When an intermediate certificate is not listed in all of the necessary audit reports, it is a violation of Mozilla’s Root Store Policy and an incident report[1] must be filed via a Bugzilla Bug which must list the steps your CA is taking to resolve the situation.

For example, it is a violation of section 8 of the CA/Browser Forum Baseline Requirements (BRs) and of Mozilla's Root Store Policy when there have been no BR audits for an intermediate certificate that is not technically constrained[2] via Extended Key Usage (EKU) and Name Constraints (and chains up to a root certificate that has the Websites trust bit enabled in Mozilla’s program).

Each copy or doppelganger (same Subject+SPKI) intermediate certificate must have their SHA-256 Fingerprint listed in appropriate audit statements, according to each of their EKU or inherited trust (Derived Trust Bits). Certificates that are cross-signed versions of a root certificate also must have their SHA-256 Fingerprints specifically listed in the applicable audit statements, because these are also intermediate certificates.


Email that I wrote years ago should NOT be considered as granting anyone exceptions to following the current version of the BRs and Mozilla's root store policy.

It is the CA's responsibility to resolve problems that they were aware of years ago, but which are no longer acceptable. Things have changed, policies have changed, ability to identify problems and enforce policy have changed.

CAs should have been keeping track of and resolving their own known problems in regards to not fully following the BRs and Mozilla policy. For example, I expect that a situation in which I responded with an OK in 2016 would have been corrected in the 3 years since that email was written.

dev-security-policy mailing list

Reply via email to