while its just a nameing thing and unrelated to actuall crypto, isn't SSL deprecated like 2015? and certificate they cross-signed this https://crt.sh/?id=3396721343 (which already trusted by MS, and have handful of CAs under that) i wonder why they are not try to include that instead of this? 2022년 12월 7일 수요일 오전 3시 0분 40초 UTC+9에 Charles Reiss님이 작성:
> 1. The WebTrust audit for period ending 29 May 2022 states: > "SERPRO-CA makes use of external registration authorities for specific > subscriber registration activities as disclosed in SERPRO-CA’s business > practices. Our procedures did not extend to the controls exercised by > these external registration authorities." > But section 1.3.2 of the CPS seems to only mention an internal RA. What > external RAs is the audit statement referring to? > > 2. The period of time audit for May 2020-2021 appears to be at > https://repositorio.serpro.gov.br/docs/auditoria/02_-_AC_SERPRO_SSL_Webtrust_BR_SSL_and_Network_Security_-_Period_of_Time_Audit_Report.pdf > > . In this audit the malformed SANs others have found are noted and the > management's assertions state that SERPRO "started the certificate > revocation process, with subsequent re-issuance, a process that is in > progress" in a statement dated 25 August 2021. The CRL for the "Autoridade > Certificadora do SERPRO SSLv1" subCA appears to have timestamps well into > September for when these certificates are actually revoked (for example, > https://crt.sh/?id=4541931304 has revocation timestamped 9 September). > This seems to violate the 24-hour timeline expected in the BRs and SERPRO's > CPS for revocation once SERPRO becomes aware certificates were issued in > error. > On Wednesday, November 16, 2022 at 10:52:33 PM UTC-5 [email protected] > wrote: > >> All, >> >> This is to announce the beginning of a six-week public discussion period >> for the inclusion request of Serviço Federal de Processamento de Dados >> (SERPRO) (Bug # 1677631 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631>, CCADB Case # 680 >> <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000680>) >> >> for its Autoridade Certificadora do SERPRO SSLv1 issuing CA certificate >> (SERPRO SSLv1), issued under the Autoridade Certificadora Raiz Brasileira >> v10, which is the root CA designated under the Brazilian PKI for support of >> TLS certificate issuance. Mozilla is considering SERPRO’s request to >> add the SERPRO SSLv1 CA as a trust anchor with the websites trust bit >> enabled. >> >> Download – https://repositorio.serpro.gov.br/cadeias/serprossl.crt >> >> crt.sh - >> https://crt.sh/?sha256=08FC942D5176E568ACBEF9C595F36A20DE6ACF9EA30C6F5FCEDD48216ED5B070 >> >> >> *Repository:* The SERPRO document repository is located here: >> https://certificados.serpro.gov.br/serprossl/certification-policies. >> >> *Relevant Policy and Practices Documentation: * >> >> An English version of the SERPRO CPS (v.4.2), March 2022, is available >> here: https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA.pdf >> >> *Self-Assessments and Mozilla CPS Reviews* are located within Bug # >> 1677631 <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631>: >> >> AC_SERPRO_SSL_Self_Assessment.ods >> <https://bugzilla.mozilla.org/attachment.cgi?id=9192419> >> >> Mozilla’s CP/CPS Review comments – Comment # >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c2>2, Comment #73 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c73>, and Comment >> #77 <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c77> >> >> *Value-vs-Risk Justification from SERPRO – *see Value vs >> Risk_SERPRO_SSL_CA.pdf >> <https://bugzilla.mozilla.org/attachment.cgi?id=9292088> >> >> *Audits:* Annual audits have been performed by PKI Contabilidade e >> Auditoria Ltda in accordance with the Webtrust Principles and Criteria for >> Certification Authorities. The most recent audits available were published >> on July 22, 2022, for the period ending May 29, 2022. See >> >> >> https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=b6a5cf89-dd0a-484e-bad5-5cf4faeb10a0 >> (Standard >> Webtrust) >> >> >> https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=5bee38f1-db75-46fe-91df-2ff67c6f0560 >> >> (WebTrust Baseline Requirements) >> >> I have no other questions related to SERPRO’s inclusion request; however, >> I urge anyone with concerns or questions to raise them on this list by >> replying directly in this discussion thread. Likewise, a representative of >> SERPRO must promptly respond directly in the discussion thread to all >> questions that are posted. >> >> This email begins a 6-week period for public discussion and comment, >> which I’m scheduling to close on or about December 31, 2022, after which, >> if no concerns are raised, we will close the discussion and the request may >> proceed to Mozilla’s one-week “last-call” phase. >> >> Sincerely yours, >> >> Ben Wilson >> >> Mozilla Root Program Manager >> > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/111f09fd-ce40-4006-8527-9e5bf363e7b7n%40ccadb.org.
