Thanks Doug. > A number of Roots were listed. Since this is for ICAs, should we exclude > those? > https://crt.sh/?sha256=f27bf02c6e00c73d915eeb6a6a2f5fbf0c31ae0393149e6b5c31e41b113841c3&opt=mozilladisclosure
https://crt.sh/mozilla-disclosures aims to show all CA certificates (Roots and Intermediates), whether in-scope or out-of-scope for Mozilla's disclosure requirements, and to clearly show whether or not any further disclosure requirements apply. I don't plan to change this approach. That particular certificate is listed in the "Unconstrained, but no unexpired trust paths have been observed: Disclosure is not known to be required" group, which seems correct to me. > The report includes expired ICAs, should we exclude those? > https://crt.sh/?sha256=8b8e1f09af86ab016ea5af3bc8da09b7f25461cd46691bd675667b26b9258472&opt=mozilladisclosure That particular certificate is listed in the "Expired: Disclosure is not required" group, which seems correct to me. > The report includes revoked ICAs, should we exclude those? > https://crt.sh/?sha256=4675a0e26d832ab881da9aeac5e1ba1a90a9a445c9145c5a99b25f29be95ecd0&opt=mozilladisclosure That particular certificate is also listed in the "Expired: Disclosure is not required" group, which seems correct to me. Expiration trumps Revocation in this report. ________________________________ From: Doug Beattie Sent: Friday, September 23, 2022 12:12 To: Rob Stradling; [email protected] Subject: RE: Tracking CRL Disclosure Compliance Hi Rob, Nice report, as usual! I noticed that some CAs that we might want to exclude in a future update of this report: * A number of Roots were listed. Since this is for ICAs, should we exclude those? * https://crt.sh/?sha256=f27bf02c6e00c73d915eeb6a6a2f5fbf0c31ae0393149e6b5c31e41b113841c3&opt=mozilladisclosure * The report includes expired ICAs, should we exclude those? * https://crt.sh/?sha256=8b8e1f09af86ab016ea5af3bc8da09b7f25461cd46691bd675667b26b9258472&opt=mozilladisclosure * The report includes revoked ICAs, should we exclude those? * https://crt.sh/?sha256=4675a0e26d832ab881da9aeac5e1ba1a90a9a445c9145c5a99b25f29be95ecd0&opt=mozilladisclosure Thanks! From: 'Rob Stradling' via [email protected] <[email protected]> Sent: Friday, September 23, 2022 11:29 AM To: [email protected] Subject: Tracking CRL Disclosure Compliance To help CAs and any other interested parties track compliance with MRSP Version 2.8's CRL disclosure requirement (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements) before the October 1st deadline, I've updated https://crt.sh/mozilla-disclosures to flag in-scope Intermediate Certificates for which both the "Full CRL Issued By This CA" and "JSON Array of Partitioned CRLs" fields are empty in the corresponding CCADB records. https://crt.sh/mozilla-disclosures#disclosureincomplete shows each affected Intermediate Certificate, with the message '"Full CRL Issued By This CA" or "JSON Array of Partitioned CRLs" is required'. https://crt.sh/mozilla-disclosures#disclosureincompletesummary shows a summary of the same information, grouped by Root Owner. -- Rob Stradling Senior Research & Development Scientist Sectigo Limited -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472956903A43D2975E52D7DEAA519%40MW4PR17MB4729.namprd17.prod.outlook.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472956903A43D2975E52D7DEAA519%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729BF41161CCA7FE02D2975AA519%40MW4PR17MB4729.namprd17.prod.outlook.com.
