I'd like to bring your attention to https://bugzilla.mozilla.org/show_bug.cgi?id=966350 because I haven't seen any public discussion related to this request yet.
I'm quoting subsets from the bug (please refer to the above link for the full statement): "At the end of 2013, Symantec issued a cert to one of its customers that did not comply with several provisions of the CA/Browser Forum Baseline Requirements. We did this knowingly because if we had not, the customer would have experienced a significant loss of business. In addition, Symantec believed that this certificate posed very little or no risk to browser users." ... "The certificate is not intended to be used by a browser. We exhausted all other possible technical options before taking this step." Symtantec asked us to blacklist the certificate, and provided identifying attributes of the certificate. In the meantime, the complete certificate has been attached to the bug, too, together with a certificate that had expired by the end of 2013. It seems the certificate that has been issued recently, and which we have been asked to blacklist, was a replacement certificate for the one that had expired. The replacement certificate had the following attributes: - it contained a backdated "not before" attribute (identical with the earlier one) - issued directly by the root (not from an intermediate) - used a short 1024-bit key - didn't contain OCSP AIA (only CRL) - included policy OID.2.16.840.1.113733.1.7.54 which seems to describe that it's compliant with CABForum BR, although it isn't. (Please correct me if I made any mistakes in writing this summary.) This motivates me to a few questions: (a) Although the certificate is described as "not intended to be used by a browser", does that argument qualify as a justification to knowingly ignore the base line requirements? If the certificate is installed on a server on the public Internet, isn't it technically possible that a browser, which knows the server's address, could connect to the server using that certificate? I think the answer is probably "yes, a browser could still connect to the site", and that is probably the motivation for asking us to blacklist the non-complying certificate. (b) Can you please clarify, what is the value of the base line requirements, if a CA is willing to ignore them, because otherwise a "significant loss of business" would be the consequence? (c) Did the CABForum define any clear rules under which circumstances exceptions to the base line requirements are allowed, or acceptable? Are there any rules that a CA must follow when issueing non-complying certificates? If the answer to any of these question is "no", could the CABForum work on that? For example, should the CA have immediately announced the non-complying certificate (or at least the identifying attributes of the certificate) on the public cabforum mailing list, together with a detailed justifcation? (I'd personally think that a justifcation should include more than the statement "loss of business", but should include the technical facts that justified the exception.) Thanks and Regards Kai _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
