On Tuesday, 31 May 2016 16:19:24 UTC+1, Eric Mill wrote: > Mozilla's Salesforce disclosures include the Blue Coat intermediate, which > is listed as under Symantec's CP and CPS: > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
So far as I've seen there's every reason to believe this only became news at all because Symantec finally disclosed the existence of this certificate earlier in May, and so it was added to the CT logs. Without the carrot + stick approach which has been taken for disclosure of intermediates, this CA cert would still exist (it was created nine months or so ago) but it wouldn't be known, so it wouldn't be news. If the message sent is "once you disclose an intermediate you'll get beaten up for that" there's a powerful disincentive to disclose at all. There's plenty of hysteria about this cert based on who it was issued to, which is funny because the best example of real trust ecosystem risk we have recently is from the Disney subCA [quietly revoked by its issuer when it ceased obeying the BRs...], yet I saw precisely zero people freaked out that Disney had an unconstrained intermediate when that information was first public. That said, so far as I understand the Mozilla requirement is actually that such intermediates be disclosed _and audited_. The present disclosure from Symantec asserts that this intermediate is covered by the same audit as for all their other intermediates, but the certificate was actually issued _long after_ the period that audit covers, so this assertion by Symantec is nonsense. We need to get CAs to be honest with us. If the situation is that you've got no audit coverage for an intermediate, you need to _fix_ that, not just pretend it's covered by an audit report that doesn't even mention the intermediate and was written months before it existed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
