On Wed, Apr 6, 2016 at 10:58 AM, Kathleen Wilson <kwil...@mozilla.com> wrote: > My understanding is that this root certificate is included in both the Apple > and Microsoft root stores and trusted for TLS, so regardless of what > Mozilla's wiki pages say, it is a publicly trusted root certificate and > should be meeting all of the requirements of the CA/Browser Forum's Baseline > Requirements. > > Therefore, my inclination is to put this discussion on hold until a full BR > audit has been performed, and the audit statement provided.
Kathleen, Based on discussions I have had with auditors, there is not a clear standard on what constitutes the "first certificate" for the purposes of starting the 90 day period. I know that there is one interpretation that certificates where the issuer, subject, and domain registrant are the same entity are not adequate to demonstrate exercise of controls. That being said, https://crt.sh/?Identity=%25&iCAID=1632 clearly shows that a CA signed by "ComSign Global Root CA" has issued certificates that do not appear to be for domains controlled by ComSign. The earliest has a notBefore date of 2014-10-26. Therefore it would seem that the first examination period should have ended on or before 2015-01-26. Even being extremely generous with time for the auditor to prepare an attestation report, there should be a period of time report by now, a year later. I believe there is a requirement for an unbroken sequence of audit periods. I would therefore hope that ComSign will provide audit reports that document the period starting from when they generated or acquired their CA keys to the end of the most recent examination period. If this is not possible, I would hope that they will provide a clear statement from their management as to why this is not possible and an explanation of controls they had in place to ensure that the keys were not misused from during the unaudited period. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
