Dear Lucia et al, On Thursday, 17 November 2022 at 19:07:53 UTC+1 Lucia Castelli wrote:
> Currently we only issue to *.br, due to our form of validation that > involves the Registro.br, but *It has no restriction.* > I understand from Brazilians I spoke to that SERPRO is a needed certificate issuer for various Brazilian governmental services Brazilians have to use, including tax revenue services. And right now they need to manually install these CA certificates themselves. Is this correct? I notice that there has not been a follow-up from your side to the questions and concerns raised by Kurt and others in over at least a week. Given this is only a 6-week process for public discussion period, I am worried about this lack of response from a CA. Especially given Ben's initial email stating that "[..] a representative of SERPRO must promptly respond directly in the discussion thread to all questions that are posted." While a glance at the crt.sh overview gives me an impression that your process might have improved somewhat in recent times, I have strong doubts about the suitability of SERPRO as a mature CA for default inclusion at this time for a number of reasons: - There has, so far, not been any clarification given how the processes have been adjusted accordingly to stop the issuing of certificates that are not URLs, IP addresses, a certificate issued for a different country TLD domain or other non-valid domains. - The various *.serpro domains issued in the past make me wonder just how well internal and external CA responsibilities and processes have been separated from one another, given that they are leaking onto the internet. - It is good to see that the various misissued certificates are revoked, however for many it took many months before the problem was noticed and acted upon. This again makes me wonder about both first and second line processes/controls. It is fully understandable if a mistake is made. None of us are perfect and we keep iterating on our processes to improve them. However, whenever I deal with mistakes in line of my own work, whether they are certificates or something else, I will look at the mistake and double check recent work for similar of such mistakes. When I see a URL being issued and then revoked a month later. And then spot another one, issued in the same month, but being revoked 4 months later I can only wonder why no automated process was kicked off to identify similar issues with your certificates. Even if it was the rough equivalent of an "openssl x509 -noout -subject -in <cert> | grep http" of all certificates. Jeroen Ruigrok van der Werven -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/4e5342e8-0c7b-4228-8d93-bef1275711f0n%40ccadb.org.
