On 2014-08-14 14:42, Kurt Roeckx wrote:
Do we also need a policy about how fast we would like issues to be
fixed? At which point do we remove a CA that does not comply?
So CAB baseline has:
13.1.5 Reasons for Revoking a Subscriber Certificate
The CA SHALL revoke a Certificate within 24 hours if one or more of the
following occurs:
[...]
9. The CA is made aware that the Certificate was not issued in
accordance with these Requirements or the CA’s Certificate Policy or
Certification Practice Statement;
[...]
13.1.6 Reasons for Revoking a Subordinate CA Certificate
The Issuing CA SHALL revoke a Subordinate CA Certificate within seven
(7) days if one or more of the following occurs:
[...]
5. The Issuing CA is made aware that the Certificate was not issued in
accordance with or that Subordinate CA has not complied with these
Baseline Requirements or the applicable Certificate Policy or
Certification Practice Statement;
I currently have 24 open bugs in violation of those requirements. The
(root) CA's have been made aware of those problems. The subscriber
certificates have not been revoked within the 24 hour limit nor have the
subordinate CA's been revoked within 7 days. So it's my believe that we
have every right to remove and distrust all those root CA's.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
