> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > This request has been in public discussion for more than 6 months, so I > would like to make a decision soon. If you have comments or concerns with > this request, please post them here by 6-March 2018.
Given the misissued certificates in CT under the existing root, I believe this request should be rejected, and a new clean root with audits should be required before moving forward. The errors in the issued certificates indicate a lack of technical controls in addition to improperly implemented certificate profiles. Given this, an explanation should also be provided of what changes have been made to the issuance environment to ensure these types of mistakes will not happen under the new root. There are a bunch of warnings, but these jumped out at me as being very serious: These certificates have a commonName that is not included as a dNSName SAN: - https://crt.sh/?id=99182607&opt=cablint - https://crt.sh/?id=242366304&opt=cablint This certificate has a SAN with a domain ending in .local, which is a reserved special-use TLD: - https://crt.sh/?id=79470561&opt=cablint It’s important to remember that these are only the certificates that we know about via CT. There may be certificates with similar or other issues that are not logged. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy