Continuing to look through the audits, I happened to notice a few other things that stood out, some more pressing than others.
More pressing: I can find no disclosure with Salesforce or crt.sh of at least two CAs that are listed 'in scope' of the audit report, as part of https://www.symantec.com/content/en/us/about/media/ repository/Symantec-NFSSP-WTCA_11-30-2016.pdf This audit report identifies the "SureID Inc. CA2" and "SureID Inc. Device CA2" as within scope for this audit. It would be useful to understand their lack of disclosure, relative to the audits and to Section 5.3.2 of the inclusion policy. Less pressing (as it relates to e-mail): One other question with disclosing audits: My understanding of https://www.mozilla.org/en-US/about/governance/policies/ security-group/certs/policy/ , particularly Section 5.3.2 and Section 3.1.2.1, is that for CA certificates that are enabled for the email trust bit, the CA, and all subordinate CAs capable of issuing e-mail certificates, must have a WebTrust for CAs audit, and must be publicly disclosed, is that correct? Looking through CAs such as https://crt.sh/?caid=598 , which is disclosed ( https://crt.sh/?id=68409 ), it seems there are a substantial number of subordinate CAs capable of issuing e-mail certificates that are not disclosed. I thought this might be due to scaling the CCADB, but I note that Microsoft's Trusted Root Requirements have required the same audits ( https://social.technet.microsoft.com/wiki/contents/articles/31635.microsoft- trusted-root-certificate-program-audit-requirements.aspx#A_WebTrust_Audits ) for some time. Do you or Kathleen know the status of these disclosures and audits? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
