On 09/02/2017 20:55, Ryan Hurst wrote:
Peter,
Thank you very much for your, as always, thorough review.
Let me start by saying I agree there is an opportunity for improving the
policies around how key transfers such your recent transfer and Google's are
handled.
It is my hope we can, through our respective recent experiences performing such
transfers, help Mozilla revise their policy to provide better guidance for such
cases in the future.
As for your specific questions, my responses follow:
pzb: First, according to the GTS website, there is no audit using the WebTrust
Principles and Criteria for Certification Authorities – Extended Validation
SSL. However the two roots in the Mozilla CA program currently are EV enabled
and at least one subordinate CA under them is issuing EV certificates.
rmh: Prior to our final stage of the acquisition we contacted both Mozilla and
Microsoft about this particular situation.
Additional issue #1: Apparently, GlobalSign has not updated its website
with the fact that GlobalSign root R2 is no longer operated by
GlobalSign, see for example
https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates
..
Also looking at the GlobalSign website I saw no obvious press release
regarding this transfer, the closest I could find was the following,
which seems kind of misleading, as it mentions new EV certs chaining to
GlobalSign R3 instead of R2, but not the fact that R2 is no longer a
GlobalSign root:
https://support.globalsign.com/customer/portal/articles/2580816-ev-ssl-intermediate-and-root-changes
Additional issue #2: The information at https://pki.goog/ about how to
report misissuance directs visitors to a generic reporting page for
code vulnerabilities, which (by their nature) tends to require reaction
times measured in days/weeks rather than the 1 day maximum specified
in Google's CPS.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy