On 2017-07-10 18:35, Alex Gaynor wrote:
Hi all,
I wanted to call some attention to a few intermediates which have been
hanging out in the "Audit required" section for quite a while:
https://crt.sh/mozilla-disclosures#disclosureincomplete
Specifically, the TurkTrust and Firmaprofesional ones. Both have issues
open in Bugzilla:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1367842
- https://bugzilla.mozilla.org/show_bug.cgi?id=1368171
However, neither appears to have seen any attention from the CAs in the
past two months.
Section 5.3.2 of the Mozilla Root Policy says they have a week to disclose
the cert, however I'm a bit less clear on on what timeline they're required
to provide the audit statements.
We have a template for reminding about missing audits here:
https://wiki.mozilla.org/CA:Email_templates#Disclosure_Incomplete_Email_Template
As far as I know, this was first sent on the 3rd of April, see the
thread with subject: "Automated email reminders about intermediate certs
missing audit or CP/CPS". I don't think such reminders were sent a
second time.
So at least some of them have been notified more than 3 months ago, and
a bug was filed a month later. I think you already gave them too much
time to at least respond to it, and suggest that you sent a new email
indicating that if they don't respond immediately that they will get
added to OneCRL.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy