Hi Mark, Are you saying you do intend to revoke all of these certificates in the next 24 hours?
While subscribers are allowed to continue using bad certificates as long as they desire, the BRs require CAs to revoke non-compliant certificates within 24 hours of becoming aware of them. Alex On Tue, Jul 25, 2017 at 3:20 PM, Policy Authority PKIoverheid via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Op woensdag 19 juli 2017 00:26:16 UTC+2 schreef Charles Reiss: > > - Digidentity Services CA - G2 (https://crt.sh/?caid=868 ; chains to > > Staat der Nederlanden Root CA - G2) has issued certificates which serial > > numbers that appear to be of the form 0x10000000 + sequential counter > > with notBefores as recent as 8 June 2017. > > > Hi Charles, > > Many thanks for bringing this to our attention. We have looked into this > matter immediately. Meanwhile the Policy Authority PKIoverheid has > prohibited Digidentity (one of the Trusted Service Providers within the > PKIoverheid/Staat der Nederlanden hierarchy) from issuing new certificates. > > After investigation it emerged that a total of 777 certificates were issued > from September 30th 2016 that are not compliant with BR ballot 164 > (https://cabforum.org/2016/07/08/ballot-164/) echoed by the same > requirement > in version 2.4 (Compliance date: February 28, 2017) from the Mozilla CA > Certificate Policy. Digidentity will revoke and > replace these non-compliant certificates. This wil take place on or before > 31 August 2017. However this action requires the cooperation from > subscribers. As you know we are in the midst of the Holiday Season so we > can't completly rule out that some certificates will be replaced a couple > of days after August the 31th. Nevertheless Digidentity will do her utmost > to revoke and replace all certs before the 31th. > > As evidence that Digidentity is now compliant with regard to the > certificate > serial number requirement from the BR check the new issued SSL cert on this > website: https://www.digidentity.eu/nl/home/ > > The Policy Authority PKIoverheid has judged that Digidentity can resume > issuing certificates now that they are in compliance with Ballot 164 and > the Mozilla CA Policy. > > Please let me know if you have any questions. > > Further questions could also be answered by my collegaues Jorik van 't Hof > or Jochem van den Berge. > > Thanks. > > Regards, > Mark Janssen > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
