On Friday, October 12, 2018 at 6:47:12 AM UTC+8, Samuel Pinder wrote: > Visiting the www.emsign.com homepage brings up a list of proposed products. > Currently, in the "Types of Certificate" table halfway down the page is the > following: > Wildcard SSL - OV > Wildcard SSL - EV > UCC Wildcard SSL - DV > UCC Wildcard SSL - OV > UCC Wildcard SSL - EV >
That's an unfortunate design issue. We acknowledge the mistake! We are not currently active on Online request acceptance. This is just an information website and put up by our design team. Merely as a material of presence. Being a "coming soon" website, it did not undergo detailed checks. (Got this corrected now after you pointed this.) We just completed our Period-Of-Time Audits which will enable us to issue live certificates shortly. The online (and offline) certificate request acceptance system will come live soon, which undergoes stringent checking measures by PA. We are apologetic for this oversight design issue. > That's not a good sign at all, since two of those imply EV and wildcard as > a single product. EV certificates cannot contain wildcards! This has always > been the case so why is this company, claiming 10 years experience, making > a mistake like this to propose such a product? > Sam > P.S. Sorry I don't contribute as much as I could, I do monitor this list > and read through regularly however. > Source: http://web.archive.org/web/20181011224402/http://emsign.com/ (Saved > to Web Archive in case the page is changed after this is pointed out). > > On Thu, Oct 11, 2018 at 11:33 PM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thu, Oct 11, 2018 at 02:36:18PM -0700, Wayne Thayer via > > dev-security-policy wrote: > > > Nick - I expect an emSign representative to respond to all of your > > > questions, but their information request indicates that they have been > > > operating the Indian Government Root for more than 10 years and have > > issued > > > over 35 million certificates: > > > https://bug1442337.bmoattachments.org/attachment.cgi?id=8955223 > > > > The phrasing in the paragraph (I think) you're referencing is ambiguous: > > > > > eMudhra has been a licensed CA under Controller of Certifying Authorities > > > which operates the Indian Government Root for more than 10 years > > > > I'm not sure whether it's eMudhra or the "Controller of Certifying > > Authorities" which has been operating the Indian Government Root for more > > than 10 years. At any rate, I can't seem to find any information about > > this > > "Indian Government Root", how it works, what it's used for, and what its > > criteria are, and so it's a bit hard to tell whether it's anything to be > > particularly proud of. > > > > If eMudhra *have* been in the CA business for 10 years, but they still > > managed to produce a CPS with the extensive list of "Bad"-grade practices > > you enumerated in your opening e-mail, that's... not encouraging. > > > > - Matt > > > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
