1. CA CHECKER: CA Checker is a public use tool for CA Mis-issuance Checker;
2. How were you validating control of the DNS domains if you weren't ensuring you were only issuing certificates to DNS names? The issuance of certificates with names that were not DNS would occur, because before we submitted our CA to the root programs there was a usage scenario where web applications authenticated their APIs using the application name as identified and not a DNS, but when adhering to the webtrust requirements, we have eliminated this practice and now the CA software itself verifies that the content is a valid DNS before certificate issuance. 3. So to confirm: you're promising to do better once accepted into the root program? But you're not willing to show that you can and will do this prior to being accepted? That's not what I tried to explain. We are already adhering to the rules of BR SSL. We have implemented all the controls required in the policies, the problems that occurred have all been corrected and that we have no non-conformities in the certificates that are active, we are not waiting to be accepted into the root program to start initiating any rules. They are already in our CA. You can check the annual results of our external audit. Em quinta-feira, 8 de dezembro de 2022 às 14:21:15 UTC-3, [email protected] escreveu: > On Thu, Dec 8, 2022 at 7:57 AM Lucia Castelli <[email protected]> wrote: > >> Now I understand better. Thanks for rephrasing the question. >> What happened was that we started using the CACHECKER "first" instead of >> waiting for the Root CA to be alerted to wrong certificates. >> We always aim to only use CA SSL/TLS software in compliance with BR SSL >> requirements. >> > > 1) What is CACHECKER exactly (a service? software?) > > 2) How were you validating control of the DNS domains if you weren't > ensuring you were only issuing certificates to DNS names? Because you > issued many certificates to urls, single names and so on spanning months. > > > > >> We understand that we need to respect the rules about the time for >> revocation, and we started intensify this issue even more if we are >> accepted in root programs. >> Well, as I read the bugzillas daily, I see that even today there are >> still CAs, that are in the program, and also have problems, keeping the >> revocation time within the rules. >> > > So to confirm: you're promising to do better once accepted into the root > program? But you're not willing to show that you can and will do this prior > to being accepted? > Thanks > > >> We assume that we have rules to resolve issues and not remain impartial. >> Thanks about your question.l >> >> Em quinta-feira, 8 de dezembro de 2022 às 11:48:38 UTC-3, >> [email protected] escreveu: >> >>> Hello: >>> >>> regarding this: >>> >>> >>> >>>> 2 - As I explained earlier, we had problems with the SAN of all these >>>> certificates, alerted by Mozilla to our Root CA, as the Root CA rules >>>> overlapped the BR SSL rules. >>>> >>> Unfortunately, due to the very large number of certificates, it was not >>>> possible to fulfill what is expected(24 hours timeline), both from the BR >>>> SSL regulations and what we reflect in our regulations (CPS). >>>> >>>> These revocations, unfortunately, lasted much longer than expected. >>>> >>>> We understand that we would not, yet, be infringing the rules, because >>>> our certificate is not in the Mozilla program. >>>> >>> I suppose my question is what specific operational changes have been >>> made on your side since then so that the inability to fulfill the baseline >>> requirements won't remain an issue were you to be part of Mozilla's program? >>> >>> >> -- >> > You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org?utm_medium=email&utm_source=footer> >> . >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/c258a33f-bd1d-40b1-b185-ce6e6ddd53f9n%40ccadb.org.
