On 12/14/15 1:17 PM, Charles Reiss wrote:
On 12/14/15 19:56, Eli Spitzer wrote:
On Monday, December 14, 2015 at 8:59:03 PM UTC+2, Charles Reiss wrote:
On 12/14/15 17:56, Eli Spitzer wrote:
The SubCA "Comsign Ev SSL CA" is at its initial development stages. It
was indeed created under "Comsign Global Root CA", but so far we only
issued a handful of test certificates from it. We have no plans to issue
public certificates from it at the moment, since the EV trust bit will
not be active any time soon.
Mozilla's policy requires subCAs to be publicly disclosed "before any []
subordinate CA is allowed to issue certificates." How was this performed
for this subCA?
The request to add "Comsign Global Root CA" was submitted to Mozilla on
2014-11-30. The Comsign CA Hierarchy details was submitted to Mozilla on
2015-05-21 On both dates there was no SubCA called "Comsign EV SSL CA" in
existence. It was created on 2015-09-24, as can be seen in the certificate
that you have found. Since this Root CA request is taking very long time to
progress, naturally some processes and taking place in Comsign over time, and
we are committed to disclose any development to Mozilla. However, this SubCA
has never issued any certificate to end-entities other than Comsign itself.
Moreover, this SubCA may even be revoked soon before it will ever do so,
since for now it is strictly for testing purposes. It is possible to say that
it was a simple oversight, but in fact this SubCA does not ever fall under
the requirement of the policy that it will not be "allowed to issue
certificates" - since Comsign is not even considering to issue any
certificate from it before we have the EV trust bit.
The existence of test certificates which chain to this subordinate CA
certificate (like the one censys.io found) clearly puts it in the scope of
Mozilla's disclosure policy.
Mozilla's policy says "issue certificates", not "issue non-test certificates" or
"issue certificates to third-parties".
This is a good example of why Mozilla's policy needs to be updated to be
more clear about this.
See the discussion called "Policy Update Proposal: Timeline for
Disclosing SubCAs"
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/EDRp1Fil3u8/ub33LOoDAgAJ
The CA Community in Salesforce will make it easier to disclose such
information too.
Thank you for raising this point. I will update my records with this
information, but I do not see it as a show-stopper for this request at
this time.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
