Getting back to this very late... I am studying this situation today. On 07/08/17 10:21, Franck Leroy wrote: > Then in November 2016 I contacted Kathleen and Gerv to know if there was some > stoppers to work with Inigo to help StartCom to be back in the business. > There was no opposition as long as we follow the requirements of the > remediation plan. Gerv also answered that our plan was good to him.
The plan I approved was the following (quoting you): "May be the safer solution for the interim period they have their new root trusted, is that ; + we create a new subCAs with startssl names (signed by Certinomis root) in our pki systems on a dedicated HSM. + startcom will only have RA access, and we can control all certs issuance as the HSM is under our control. + when startssl new root is publicly trusted by Mozilla, we give the HSM and an export of the database to Startcom. + then startcom cross sign the dedicated CAs with their new root, and then they are autonomous to use the CAs their own pki system." This seems to be very different to the plan you implemented. In that email exchange, you asked if a cross-sign was permitted. Kathleen replied: "It would have to be for their new root(s) only. Definitely not allowed for their old roots. As always, the CA with the root cert in Mozilla's program is responsible for ensuring that their subCAs fully comply with the CA Browser Forum's Baseline Requirements and Mozilla's CA Certificate Policy. I think the following from https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 would still apply: <list of action items from that bug>" Various bugs have been filed since then to suggest that StartCom has not been following those two documents. In addition, StartCom's first attempt at demonstrating they had met that list of action items (leaving aside the question of whether they, in fact, have) was in mid-July: https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c12 This was long after you did your cross-sign. I am continuing to consider what the best next steps are in this situation. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy