On Tue, Feb 27, 2018 at 2:40 PM, Jonathan Rudenberg <jonat...@titanous.com> wrote:
> > > On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> > >> This request has been in public discussion for more than 6 months, so I > >> would like to make a decision soon. If you have comments or concerns > with > >> this request, please post them here by 6-March 2018. > > > > Given the misissued certificates in CT under the existing root, I > believe this request should be rejected, and a new clean root with audits > should be required before moving forward. > > > This course of action doesn't seem consistent with our treatment of the many included CAs that have experienced these problems. > > The errors in the issued certificates indicate a lack of technical > controls in addition to improperly implemented certificate profiles. Given > this, an explanation should also be provided of what changes have been made > to the issuance environment to ensure these types of mistakes will not > happen under the new root. > > I just took a closer look at the thread, and it appears that some > misissuance was pointed out in July and most of the controls that were > suggested as a solution relied on humans. These controls appear to have > predictably failed, as multiple misissued certificates are from this fall, > well after the fixes should have been in place. > > Olfa's most recent response indicates that additional/technical controls were added this week. However, I'm not convinced that they are adequate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
