Per the Mozilla, Apple, and Microsoft root program policies, all CA Owners with one or more Root or Intermediate CAs trusted for the issuance of S/MIME certificates should have completed an S/MIME BR audit by now and disclosed the audit details on each applicable CCADB record.
I recently added tracking to https://crt.sh/mozilla-disclosures to flag missing and inconsistent disclosures of S/MIME BR audits. Since this crt.sh report is currently flagging issues for a number of CA Owners, I thought I would share a summary of the findings here. In my view, most (if not all) of these issues should be treated as incidents per https://www.ccadb.org/cas/incident-report. CA Owners with Missing S/MIME BR Audit details: GoDaddy: Several applicable Root Certificate records don’t specify any S/MIME BR audit details. The WebTrust seals on https://certs.godaddy.com/repository do not include an S/MIME BR seal. Has GoDaddy undergone an S/MIME BR audit? TWCA: No S/MIME BR audit details have been disclosed on one Root Certificate record. This root CA isn’t directly trusted for S/MIME, but it counts as S/MIME-capable because it’s cross-certified by a root that is trusted for S/MIME. Is ticking “Audits Same as Parent” the required resolution here? DigitalSign - Certificadora Digital, S.A.: Two root certificates have only the Email trust bit set in NSS, but the corresponding Root Certificate records in CCADB have no S/MIME BR audit details disclosed. Has DigitalSign undergone an S/MIME BR audit? eMudhra: Two applicable Intermediate Certificate records don’t specify any S/MIME BR audit details. Is ticking “Audits Same as Parent” the required resolution here? Entrust: Two applicable Root Certificate records don’t specify any S/MIME BR audit details. Although these roots have been distrusted for further issuance of TLS server certificates, they are still fully trusted for the issuance of S/MIME certificates. Has Entrust undergone an S/MIME BR audit? Siemens (externally-operated Sub-CAs under Entrust): Several applicable Intermediate Certificate records specify no S/MIME BR audit details. Has Siemens undergone an S/MIME BR audit? Ministerie van Defensie (externally-operated Sub-CA under PKIoverheid): One applicable Intermediate Certificate record doesn’t specify any S/MIME BR audit details. See also https://bugzilla.mozilla.org/show_bug.cgi?id=1911335. LAWtrust: One applicable Root Certificate record doesn’t specify any S/MIME BR audit details. Has LAWtrust undergone an S/MIME BR audit? Cybertrust Japan (externally-operated Sub-CA under SECOM Trust Systems): One applicable Intermediate Certificate record doesn’t specify any S/MIME BR audit details. See also https://bugzilla.mozilla.org/show_bug.cgi?id=1950574. CA Owners with Inconsistent Disclosure of S/MIME BR Audit details: Asseco Data Systems: One applicable Root Certificate record doesn’t specify any S/MIME BR audit details. Although this root certificate is not present in root stores, its signature can be validated by a doppelganger root that is. (The serial number of this self-signed root certificate appears in the CRL, but I think it’s questionable as to whether self-signed certificates can actually be revoked in this manner. This self-signed root certificate is also listed in OneCRL, but AIUI OneCRL is only applicable to Firefox’s use of TLS server certificate chains, meaning that it’s out of scope for Mozilla’s interest in S/MIME). DigiCert: Two applicable Root Certificate records don’t specify any S/MIME BR audit details. These root CAs aren’t directly trusted for S/MIME, but they do inherit S/MIME-capability via cross-certification from other DigiCert roots. (The CCADB records for the cross-certificates all specify “Audits Same as Parent”, and the corresponding parent records do specify S/MIME BR audit details). Microsec: Similar to the Asseco Data Systems case, a doppelganger Root Certificate record doesn’t specify any S/MIME BR audit details. Cybertrust Japan (externally-operated Sub-CA under SECOM Trust Systems): One applicable Intermediate Certificate record doesn’t specify any S/MIME BR audit details (see above), whereas a doppelganger Intermediate Certificate record does. See also https://bugzilla.mozilla.org/show_bug.cgi?id=1950574. Telia: In two cases, the S/MIME BR audit Statement Date differs between a Root Certificate record and a corresponding Intermediate Certificate (cross-certificate) record. apple-disclosures I have also added tracking to https://crt.sh/apple-disclosures to flag missing and inconsistent disclosures of S/MIME BR audits. This report currently flags issues for some additional CA Owners, but since crt.sh is not yet tracking all of the intricacies of Apple’s root store metadata there may be some false positives. -- Rob Stradling Distinguished Engineer Sectigo Limited -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB47298BAE9940F13E86CB678BAACB2%40MW4PR17MB4729.namprd17.prod.outlook.com.
