When Rob Stradling announced the excellent addition of the "inconsistent Audit details" and Inconsistent CP/CPS Details" sections to the crt.sh Mozilla CA Certificate Disclosures report [1], we discovered some inconsistencies between Mozilla's expectations and CCADB policy [2]. To correct this, the following list of exceptions to providing audit information *for intermediate certs* has been added to the policy:
- The SHA-256 fingerprint of the certificate is specifically listed as in scope in the audit statements of the parent certificate, and the “Audits Same as Parent” checkbox is checked; or - The certificate has expired; or - The certificate is technically-constrained as described in section 7.1.5 of the CA/Browser Forum Baseline Requirements, or - The certificate has been revoked, and the corresponding record in the CCADB has been updated with the correct revocation status. This change is captured in CCADB policy issues #30 [3] and #31 [4]. - Wayne [1] https://crt.sh/mozilla-disclosures [2] https://www.ccadb.org/policy#5-policies-practices-and-audit-information [3] https://github.com/mozilla/www.ccadb.org/issues/30 [4] https://github.com/mozilla/www.ccadb.org/issues/31 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy