While I sincerely appreciate the efforts of Chunghwa Telecom to respond to questions and to remediate some of the issues that were identified here, this discussion ha made it clear that this request should be denied. There is a significant degree of misissuance associated with this root, some of the misissuance was intentional, and remediation did not occur until the problems were called out. I will resolve the inclusion bug as WONTFIX. Chunghwa Telecom is encouraged to create a new root that is free of these issues and to apply for the inclusion of that new root in the Mozilla program.
- Wayne On Sat, Jul 14, 2018 at 5:26 AM lcchen.cissp--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Wayne Thayer於 2018年7月14日星期六 UTC+8上午1時16分58秒寫道: > > > In effect, this is saying that CAs should be permitted to break > > well-defined rules when they find them inconvenient. This is the second > > example in which Chunghwa Telecom has argued that it's okay to do this > > (along with the Taiwan State/Locality issue). While I can sympathize with > > Chunghwa Telecom's reason for doing this, it is quite troubling because > it > > implies that Chunghwa Telecom may be willing to ignore any of the rules > > they disagree with. > > > I disagree that the discussion string referenced above did not reach a > > conclusion. A number of interoperability concerns were raised, causing > the > > proposal to be rejected. By violating RFC 5280 in this manner, Chunghwa > > Telecom has created an additional burden and risk for Mozilla by > expecting > > our software to accommodate non-standards-compliant certificates. > > Dear Wayne, > > We used automated tools (base on zlint, x509lint)to check all to be > signed SSL certificates from June 22, 2018. So there will be no SSL > certificates of those two issues in the future. > > Our vetting person had checked the mainstream browsers such as Firefox > before RA Officer approved the certificate Request of crt.sh ID 336874396. > There are no issue for longer than 64 characters of OU in Firefox such as > https://mail.gov.vc/. He just asked me to help to express his thought for > discussion. > > > Sincerely Yours, > > Li-Chun > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
