Hi Rob - thanks for following up. The Belgium root was granted an extension by the browsers until January 15th to complete the audit and January 31st to submit the audit report. We are still told they are hosted by Verizon and, considering the audit progress, I have no reason to doubt this.
-----Original Message----- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: Monday, January 9, 2017 9:28 AM To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Update on transition of the Verizon roots and issuance of SHA1 certificates On 03/11/16 19:34, Jeremy Rowley wrote: <snip> Hi Jeremy. > 7. The Belgium government is our biggest challenge in migrating Verizon customers. With over 20 issuing CAs, Belgium has the largest outstanding non-compliant infrastructure. The operators have also claimed that revoking their issuing CAs is illegal (in Belgium). The government is using the issuing CA for creating personal identification (e-ID) cards throughout the country. The Belgium government has dictated that they set the rules, not us. Although the Belgium government does not have an audit yet, Verizon has represented that the issuing CAs are hosted in the Verizon infrastructure and are potentially covered by the Verizon audit. I've noticed that some of the Belgian government CAs have been disclosed to the CCADB with the CP/CPS and Audit fields marked as "Same as Parent", whereas the CP/CPS and Audit fields for the rest of those CAs have not yet been filled in. If it's true that all of "the issuing CAs are hosted in the Verizon infrastructure and are potentially covered by the Verizon audit", then it would seem reasonable to expect to see the CP/CPS and Audit details for all of the Belgian government CAs set identically. Right? Using the data on crt.sh (from which https://crt.sh/mozilla-disclosures is produced), I've summarized the current Belgian government CA disclosures in this spreadsheet: https://docs.google.com/spreadsheets/d/1K4DEjqKvC5r_aiUGDYvbJBPVSOm8E6MO6RJQ oj9zbrY/edit?usp=sharing Were the "Same as Parent" tickboxes ticked correctly, or in error? > We've asked Verizon to provide an updated audit report showing coverage of the Belgium issuing CAs by December 1, 2016. If the report is not delivered by December 1, 2016, we plan to immediately revoke the issuing CAs. I note that you did not "immediately revoke" the issuing CAs on December 1, 2016. Does this mean that Verizon did provide "an updated audit report showing coverage of the Belgium issuing CAs" to DigiCert? > If, for whatever reason, we are unable to revoke the issuing CAs at that time, we would certainly not object to the browsers distrusting the issuing CAs issued to Belgium. Are you able to complete the Belgian government CA disclosures yet (either by revoking the issuing CAs or by updating the CP/CPS and Audit details as appropriate)? Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
