On Monday, December 14, 2015 at 8:59:03 PM UTC+2, Charles Reiss wrote: > On 12/14/15 17:56, Eli Spitzer wrote: > > The SubCA "Comsign Ev SSL CA" is at its initial development stages. It was > > indeed created under "Comsign Global Root CA", but so far we only issued a > > handful of test certificates from it. We have no plans to issue public > > certificates from it at the moment, since the EV trust bit will not be > > active > > any time soon. > > Mozilla's policy requires subCAs to be publicly disclosed "before any [] > subordinate CA is allowed to issue certificates." How was this performed for > this subCA? >
The request to add "Comsign Global Root CA" was submitted to Mozilla on 2014-11-30. The Comsign CA Hierarchy details was submitted to Mozilla on 2015-05-21 On both dates there was no SubCA called "Comsign EV SSL CA" in existence. It was created on 2015-09-24, as can be seen in the certificate that you have found. Since this Root CA request is taking very long time to progress, naturally some processes and taking place in Comsign over time, and we are committed to disclose any development to Mozilla. However, this SubCA has never issued any certificate to end-entities other than Comsign itself. Moreover, this SubCA may even be revoked soon before it will ever do so, since for now it is strictly for testing purposes. It is possible to say that it was a simple oversight, but in fact this SubCA does not ever fall under the requirement of the policy that it will not be "allowed to issue certificates" - since Comsign is not even considering to issue any certificate from it before we have the EV trust bit. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
