Re: Google Trust Services roots

Thu, 09 Feb 2017 19:07:43 -0800 

On 09/02/2017 20:55, Ryan Hurst wrote:

Peter,

Thank you very much for your, as always, thorough review.

Let me start by saying I agree there is an opportunity for improving the 
policies around how key transfers such your recent transfer and Google's are 
handled.

It is my hope we can, through our respective recent experiences performing such 
transfers, help Mozilla revise their policy to provide better guidance for such 
cases in the future.

As for your specific questions, my responses follow:

pzb: First, according to the GTS website, there is no audit using the WebTrust 
Principles and Criteria for Certification Authorities – Extended Validation 
SSL.  However the two roots in the Mozilla CA  program currently are EV enabled 
and at least one subordinate CA under them is issuing EV certificates.

rmh: Prior to our final stage of the acquisition we contacted both Mozilla and 
Microsoft about this particular situation.



Additional issue #1: Apparently, GlobalSign has not updated its website
with the fact that GlobalSign root R2 is no longer operated by
GlobalSign, see for example https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates .. 

Also looking at the GlobalSign website I saw no obvious press release
regarding this transfer, the closest I could find was the following,
which seems kind of misleading, as it mentions new EV certs chaining to
GlobalSign R3 instead of R2, but not the fact that R2 is no longer a
GlobalSign root: https://support.globalsign.com/customer/portal/articles/2580816-ev-ssl-intermediate-and-root-changes 

Additional issue #2: The information at https://pki.goog/ about how to
report misissuance directs visitors to a generic reporting page for
code vulnerabilities, which (by their nature) tends to require reaction
times measured in days/weeks rather than the 1 day maximum specified
in Google's CPS.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to