Today I noticed the following ComSign response to question 6 [1] in Mozilla's November 2017 CA Communication:
We are in the process of perfecting our CAA system. As far as I know we do > not have a devoted mailbox for problem reporting in the root program, the > mail for that should be mine – ya...@comda.co.il > <ya...@comda.co.il> This first implies that ComSign is not yet performing CAA checking as required by the BRs effective 8-Sept 2017. While the BRs do not require problem reports to be accepted via email, they do require CAs to "publicly disclose the instructions through a readily accessible online means". The ComSign CPS includes two email addresses: supp...@comsign.co.il and customer_servi...@comsign.co.il. How has ComSign met this requirement? I will leave the discussion period open until ComSign has responded to these concerns. - Wayne [1] https://ccadb-public.secure.force.com/mozillacommunications/ CACommResponsesOnlyReport?CommunicationId=a051J00003mogw7&QuestionId= Q00042,Q00048 On Tue, Jan 16, 2018 at 2:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > To recap, we've established that this root was first BR audited on > 26-April 2015 and has received clean period-of-time audits over the next > two years. ComSign has disclosed 36 certificates issued by this root prior > to the BR point-in-time audit, of which one remains unexpired. This does > not meet the requirements of BR section 8.1 both because the point-in-time > readiness assessment was not completed prior to issuing a publicly-trusted > certificate, and because the first period-of-time audit was not completed > within 90 days of issuing a publicly-trusted certificate. Mozilla policy, > however, does not require a root to have maintained BR compliance over its > entire lifetime to be included in the program. ComSign's current annual > WebTrust for CAs and BR audits are enough to meet Mozilla's requirements. > > The questions I raised have been addressed to my satisfaction. If anyone > has further concerns, please raise them this week so that we can complete > the public discussion period for this inclusion request. > > - Wayne > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
