I've held this discussion open for much longer than 3 weeks due to the qualified audit reports that were received from Camerfirma. Since no objections to the acquisition have been raised and the audit issues are being discussed separately [1][2], I would like to close this discussion and the corresponding bug [3] with a "positive conclusion" as required by policy section 8.1 If you have concerns with this action, please respond by the end of this week.
- Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/Xmr13-ZK0_c/kiyqqk7hCQAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 On Mon, Jul 30, 2018 at 5:47 PM Wayne Thayer <wtha...@mozilla.com> wrote: > On Wed, Jul 18, 2018 at 1:56 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> I would like to begin a 3-week public discussion period for InfoCert's >> acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla >> Root Store Policy. I believe that the intent of our policy in this scenario >> is to identify and consider any risks introduced by the acquisition of >> Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a >> new CA. In that context, I will appreciate everyone's constructive input on >> issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I >> have included some additional information below. >> >> - Wayne >> >> Camerfirma answered the questions that I posed [2] about this acquisition >> as follows: >> >> <snip> > >> >> Camerfirma has one open compliance bug [5] requesting full audit >> information for a subordinate CA. >> >> Camerfirma has supplied the audit information for this subordinate CA. > > Camerfirma also recently issued two intermediates that were not disclosed > within the required week [8][9]. > > Camerfirma's 2018 audit statements are overdue - the prior period ended on >> 14-April 2017, and new statements have not yet been supplied to Mozilla. >> Last year's statements are still listed on the Camerfirma website [6]. >> >> Camerfirma has supplied their 2018 audit reports: > https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 > > The WebTrust, BR, and EV reports all contain multiple qualifications. I > would summarize the qualifications as follows: > * Inconsistencies and omissions in CP/CPS documents which I would consider > relatively minor. > * Misissuances. The reports appear to be referring to those documented in > bugs 1357067, 1390977, 1405815, 1431164, and 1443857. > * Misissuance for "wildcard to immediate left of public suffix in SAN" was > also reported. I found [10] but since those are for the .sener brand TLD, > it is possible that Camerfirma issued them in compliance with BR 3.2.2.6. > * Not meeting the BR requirement to revoke within 24 hours, presumably > referencing bug 1390977. > *The revocation time differs between the OCSP service and CRL for a few > certificates, and the OCSP service responds "good" for some certificates > revoked according to the CRL. > * Failure to begin investigations of problem reports within 24 hours. > * Failure to self-audit at least 3% of issued certificates each quarter. > > <snip> > > [1] >> https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/ >> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 >> > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854 >> > [4] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ >> > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147 >> > [6] https://www.camerfirma.com/camerfirma/acreditaciones/ >> > [7] >> http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf >> > [8] >> https://crt.sh/?sha256=06a57d1cd5879fba2135610dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=mozilladisclosure > > [9] >> https://crt.sh/?sha256=1defd59846cc2049ba1f1a74d3a8329d1357a2d47c1e1b0c15c27a8c60295455&opt=mozilladisclosure >> > [10] https://crt.sh/?cablint=319&iCAID=1778&minNotBefore=2017-01-01 > > > > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
