On 17/01/18 09:21, Ryan Sleevi via dev-security-policy wrote:
Specifically,
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
Ben, Ryan,
Hmm, you're right. (I must've skipped over that disclosure deadline
change because I'd already disclosed Comodo's id-kp-emailProtection
intermediates to the CCADB well ahead of the original deadline). The
November 2017 CA Communication does indeed say 15th April 2018, and, in
fact, so does the latest draft of the Mozilla Root Store Policy [1].
However, the Stable version of the Mozilla Root Store Policy [2] still
says 15th January 2018.
Surely the Stable version of the Policy is in force and the Draft
version is not yet in force?
Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
(compared to v2.5) simply updates this disclosure deadline?
[1] https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md
[2]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
On Tue, Jan 16, 2018 at 6:06 PM, Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
What about the Mozilla CA communication that said that CAs had until 15
April 2018?
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On
Behalf Of Rob Stradling via dev-security-policy
Sent: Tuesday, January 16, 2018 2:29 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: CCADB disclosure of id-kp-emailProtection intermediates
[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents
Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the
non-disclosure (and, IINM, non-audit) of certain
non-technically-constrained
id-kp-emailProtection intermediate certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate certificates
issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained
intermediate certificates known to crt.sh that chain to an NSS built-in
root
(that has the Email trust bit set) and are capable of issuing
id-kp-emailProtection certificates but not id-kp-serverAuthentication
certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to
have already been disclosed to the CCADB and to be audited.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
