Getting back to this very late... I am studying this situation today.
On 07/08/17 10:21, Franck Leroy wrote:
> Then in November 2016 I contacted Kathleen and Gerv to know if there was some
> stoppers to work with Inigo to help StartCom to be back in the business.
> There was no opposition as long as we follow the requirements of the
> remediation plan. Gerv also answered that our plan was good to him.
The plan I approved was the following (quoting you):
"May be the safer solution for the interim period they have their new
root trusted, is that ;
+ we create a new subCAs with startssl names (signed by Certinomis
root) in our pki systems on a dedicated HSM.
+ startcom will only have RA access, and we can control all certs
issuance as the HSM is under our control.
+ when startssl new root is publicly trusted by Mozilla, we give the
HSM and an export of the database to Startcom.
+ then startcom cross sign the dedicated CAs with their new root, and
then they are autonomous to use the CAs their own pki system."
This seems to be very different to the plan you implemented.
In that email exchange, you asked if a cross-sign was permitted.
Kathleen replied:
"It would have to be for their new root(s) only. Definitely not allowed
for their old roots.
As always, the CA with the root cert in Mozilla's program is responsible
for ensuring that their subCAs fully comply with the CA Browser Forum's
Baseline Requirements and Mozilla's CA Certificate Policy.
I think the following from
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 would still apply:
<list of action items from that bug>"
Various bugs have been filed since then to suggest that StartCom has not
been following those two documents. In addition, StartCom's first
attempt at demonstrating they had met that list of action items (leaving
aside the question of whether they, in fact, have) was in mid-July:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c12
This was long after you did your cross-sign.
I am continuing to consider what the best next steps are in this situation.
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
