On Friday, October 28, 2016 at 9:06:44 AM UTC-7, Ben Wilson wrote: > -----Original Message----- > Subject: RE: New SHA-1 certificates issued in 2016 > > Thank you, Patrick, for pointing these out to us. DigiCert has been in the > forefront pushing the move toward SHA-2. In fact, we've been issuing SHA-2 > certificates by default to our customers for a couple of years now. We've > communicated with these sub-CAs and requested that these certificates be > revoked. We'll follow up with a status report on our efforts sometime next > week. > Sincerely yours, > Ben Wilson > DigiCert VP of Compliance
Ben, While it's useful that you've requested these certs been revoked, as has been pointed out during numerous discussions of SHA-1, a revocation does not mitigate the fact that a SHA-1 cert was issued, as an attacker can manipulate the contents in such a way to avoid any revocations. More important to the community would be understanding why these subordinate CAs are not complying with the Baseline Requirements, as required by the Mozilla Root Certificate Program policies, and as required by the Baseline Requirements. As these are not technically constrained sub-CAs, what we have is demonstrable evidence of several possibilities, most seriously: 1) That these CAs may not be adhering to the Baseline Requirements as part of their policies - an indicator that their auditors may be derelict in their professional duties to ensure that the policies and practices are consistent with the BRs 2) If their policies document adherence, as they're required to, then these CAs are not issuing according to their CP/CPS Could you indicate what steps DigiCert is taking to assure members of the public that these subordinate CAs will be operated in a manner consistent with expectations? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
