All, I hadn't announced this page yet, hoping to reference it in an email currently undergoing internal review. But thanks for your comment. I'll see about posting the email as soon as I can. Thanks, Ben
On Mon, May 6, 2024 at 3:58 PM Mike Shaver <mike.sha...@gmail.com> wrote: > The page lists the following issue: > > “ > 5. EV Certificate missing Issuer’s EV Policy OID - > > https://bugzilla.mozilla.org/show_bug.cgi?id=1888714 > > Entrust issued 1,963 EV TLS certificates September 11-22, 2023, without > including an EV TLS CP OID. Root Causes were the misinterpretation of the > EV Guidelines and the TLS BRs and a failure to recognize the overriding > requirements of the EV Guidelines. (A misinterpretation of standards led to > non-compliant certificates, and linting failed to detect the issue.) As > remediation, since April 11, 2024, Entrust has used pkilint as a > post-issuance linter to detect similar issues. (Mis-issued certificates are > a subset of the certificates disclosed and being revoked under bug > #1883843 <https://bugzilla.mozilla.org/show_bug.cgi?id=1883843>. Status > of revocation is listed in bug #1886532 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1886532>.) > > *Issues:* Misinterpretation of Requirements; Policy/Procedure Failure; > Certificate Mis-issuance” > > In my opinion it should also list that Entrust promised to provide a full > list of affected certs and an incident report by April 5th, and continued > to comment in the bug, but did not post that list or the IR until April > 10th. No comment was made about a delay, or the reason that it was > necessary. > > Mike > > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsbubH8_7-NNxC7E7FbV%2BCqBPF%3DaYR2GseNCjy1mqEXHA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsbubH8_7-NNxC7E7FbV%2BCqBPF%3DaYR2GseNCjy1mqEXHA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabKSQhyHSPeh6iEki4mkH9Kkky0Wpes8YyB2-xsEnNu1w%40mail.gmail.com.