Re: Yet more undisclosed intermediates [Telia]

Tue, 09 Oct 2018 04:52:45 -0700 

[ Please reply to list, Mozilla NNTP<->mail gateway seems to insert
wrong Reply-To ]

Telia is a notable case as this seems to be a brand new Intermediary
created but not disclosed 1 month ago.

On 09/10/2018 12:43, Rob Stradling wrote:

"ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs
of the Mozilla Root Store Policy requirement [2] that
non-technically-constrained intermediate CA certificates...
    "MUST be publicly disclosed in the CCADB by the CA that has their
     certificate included in Mozilla's root program. The CA with a
     certificate included in Mozilla's root program MUST disclose this
     information within a week of certificate creation, and before any
     such subordinate CA is allowed to issue certificates."

In their responses to "ACTION 6" [3], most CAs indicated that...
    "We are aware of the requirements for intermediate certificate
     disclosure and have processes in place to ensure that these
     requirements are met"

There are currently 20 undisclosed non-technically-constrained
intermediates, belonging to 6 Root Owners, on "Rob's naughty list" [4]
(snapshot at [5]).  All 20 were undisclosed and listed (on [4]) on the
day the responses to [1] were due (September 30th), which means that
they have not been disclosed "within a week of certificate creation".

So, ISTM that the "processes in place to ensure that these requirements
are met" are insufficient/broken for at least the following Root Owners:
    - Certicámara
    - DigiCert
    - DocuSign (OpenTrust/Keynectis)
    - SECOM Trust Systems CO., LTD.
    - SwissSign AG
    - Telia Company (formerly TeliaSonera)

Wayne, Kathleen:
Given the number of times that all the CAs in Mozilla's Root Program
have been reminded about Mozilla's requirements for disclosing
intermediate certs, I wouldn't blame you if you decided to add these 20
intermediate certs [5] to OneCRL immediately!


[1]
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL

[2]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited

[3]
https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00078,Q00079

[4] https://crt.sh/mozilla-disclosures#undisclosed

[5] https://crt.sh/reports/20181009_MozillaDisclosures.html#undisclosed




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to