Hi Everyone, I have reviewed the responses we received from the November 2017 CA Communication [1], and I have the following comments to share:
* Beginning with the good news, no new concerns related to the suspected .tg Registry compromise were reported (Action #8) * The deadline for submitting the survey was 15-December, but Amazon, DSV-Gruppe, and Web.com required repeated prodding in January before they responded. It may be that mid-December is not the best time of the year for a survey deadline, but the response we received fell short of our expectations. * In action #1, CAs were asked to confirm that they comply with version 2.5 of the Mozilla root store policy. This policy took effect last June [2], but a number of CAs stated that they needed more time to bring their CPS into compliance. Most CAs said they would comply by 1-March, but some requested much more time. Microsec Ltd. stated that “The next version of our public documents will contain the exact reference to these BR sections which will be issued by 2018-09-30.” I expect CAs to update their CPS much more frequently when requirements change. I propose that we require CAs to update their CPS to comply with version 2.5 of the Mozilla root store policy no later than 15-April 2018. * A few CAs indicated that they are no longer issuing certificates, and thus believe that they don’t need to meet some of the Mozilla program requirements. I have emailed these CAs and asked them to either comply with all the requirements or we will begin the process of removing their roots. * In Action #1, CAs were reminded of the new requirement to disclose unconstrained S/MIME subordinate CAs in CCADB by 15-April. However, over 200 undisclosed intermediates are currently reported by crt.sh [3]. * Responding to Action #5, many CAs requested extensions to the 31-Jan deadline for submitting BR Self Assessments, with most requesting another month or two. I propose that we extend the deadline to 15-April 2018 for those CAs that requested more time. Responses will be tracked at [4]. * Action #6 requested CAs to provide any updates to their problem reporting mechanism or recognized CAA domains. CCADB has been updated with these changes. You can review and confirm the changes via the reports at [5] and [6]. We are planning to directly notify CAs of the deadlines that I suggested above. - Wayne [1] https://wiki.mozilla.org/CA/Communications#November_2017_Responses [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/lSyrFEkREZk/9c67Y7bNAQAJ [3] https://crt.sh/mozilla-disclosures#undisclosed [4] https://docs.google.com/spreadsheets/d/1Lmdkl3gTpKyBgZwL_6j5ivClBXiGMUnZyAVJDTHtjO4/edit?usp=sharing [5] https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport [6] https://ccadb-public.secure.force.com/mozilla/CAAIdentifiersReport _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy