Is this a correct summary: - The report included here is supposed to fulfill the network security test portion of the BRs - This report does not attest to BR compliance (or non-compliance) - To complete an application for the Mozilla Root Program, WoSign would be required to additionally provide a WebTrust audit (or equivalent, as described in the Mozilla PKI Policy section 3.1) - Based on your reading of the complete network security test, you would not expect WoSign to be able to pass a BR Audit without qualifications
Alex On Tue, Jul 11, 2017 at 11:35 AM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > > > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via > > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > > >> > > >> Please note this email topic is just for releasing the news that > WoSign > > new system passed the security audit, just for demonstration that we > > finished item 5: > > >> " 5. Provide auditor[3] attestation that a full security audit of the > > CA’s issuing infrastructure has been successfully completed. " > > >> " [3] The auditor must be an external company, and approved by > Mozilla. > > " > > > > > > It also seems a bit strange to report item 5 "successfully completed" > > before we hear anything about the other items. How about starting with > item > > 1? What are your plans voor fixing the problems? > > > > It’s worth noting that the problems have not stopped yet. There are a > > bunch of certificates issued over the past few months that do not comply > > with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, > > for example: > > > > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB > > E9E1D60D28A412539D5BC71C19B46FEF21 > > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 > > 52FC46D229CBC203E0814D175F39977FF3 > > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 > > FEFA61BFD17782B83F75ADD82241147721 > > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD > > B30E7F337AEBAF9407FD854B5726303F7B > > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 > > A2BA8A0E8EC01018B9DE736EBC64442361 > > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 > > 3CF9ED8796245DE4BD5250267ADEFF005A > > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B > > B263FD1D20FE61B1F52F939C0C1C0DCFEE > > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 > > AFE7B7EF4B1ADA4908354C855C385ECD81 > > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 > > 45E0B490D1DCA7B7E082FD1CB0A40A71C0 > > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 > > 767C01DE6127843312511B71029F4E3836 > > > It's worth noting that, on the basis of the security audit report full > details shared by WoSign, the system that was security audited does not > comply with the Baseline Requirements, nor, as designed, can it. The system > would need to undergo non-trivial effort to comply with the Baseline > Requirements. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy