My main concern with this request is the misissued certificates identified by linters that have not been revoked - I have included my comments and links from the original message below.
It appears that DigiCert is not planning to remediate these certificates - can a representative from DigiCert confirm that? If these certificates are not revoked, I feel that it would be consistent with our treatment of other CAs to deny this request. I would appreciate everyone's opinion on that, and also if you think that the amount of misissuance is reason enough to deny this request, even if the misissuance is remediated. ============================= * The TERENA SSL CA 3 subordinate has misissued a number of certificates [3], most of which are not revoked. DigiCert’s response in this bug states “We were under the impression from previous communications with Mozilla that certain types of errors identified did not require certificate revocation. It would help if Mozilla could indicate which certificate errors are believed to require revocation. We will then review the lists to see which certificates need to be revoked.” I do not believe that Mozilla should create such a list, and we have set a precedent for requiring revocation for at least some of the errors that are identified - e.g. metadata in subject fields [4]. * In addition, DigiCert previously reported that they had addressed the problem of metadata in subject fields for certificates issued by the Terena subordinate [5]. * Linters identify a large number of misissued certificates under the DigiCert SHA2 Secure Server CA intermediate [6]. Many of these are false positives (e.g. ZLint expects CN and SAN fields to be lowercased), but some are not and of those many are not revoked - e.g. [7]. * CPS section 3.2.2 did not, in my opinion, adequately specify the procedures employed to perform email address verification as required by Mozilla policy section 2.2(2). The latest update addressed this. [3] https://crt.sh/?caid=1687&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01 > [4] https://crt.sh/?id=629259396&opt=cablint > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1397958 [6] https://crt.sh/?caid=1191&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01 [7] https://crt.sh/?id=286404787&opt=zlint ============================= On Thu, Nov 29, 2018 at 4:17 PM Wayne Thayer <wtha...@mozilla.com> wrote: > I would appreciate it if we could move the discussion of exceptions to the > deadline for revoking certificates containing underscores to a new thread. > > As it relates to this request, any failure to meet the revocation deadline > would trigger the creation of an incident bug. (that is unless we as a > community decide otherwise) > > I am not of the opinion that the existence of such a bug would change the > outcome of this discussion. If others feel that it might, I am not opposed > to holding the discussion open. Meanwhile, i'd suggest we stick to > discussing the current facts of this request. > > - Wayne > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
