On Tue, Feb 5, 2019 at 6:37 AM Matthias van de Meent < matthias.vandeme...@cofano.nl> wrote:
> I agree that sectigo hosts a CPS which meets the requirements for them > to issue a certificate for the website. The issue is different here, > though. > > The apparent signee (ComodoCA/Sectigo) has issued their CPS here > (https://sectigo.com/legal , https://www.comodoca.com/en-us/legal/ ), > latest version both being 4.2, which mentions (in section 7.1.1 > <Certificate Profile, Certificate Versions>) that the certificates > will be issued according based on the CPS, Appendix C, which only > includes 'O=Comodo Limited'-, 'O=Comodo CA Limited'- and 'O=The > USERTRUST Network'-issuer certificates. > > As the signee of my certificate is not included in any way or form in > the CPS of neither ComodoCA nor Sectigo, this would _not_ qualify as a > certificate signed according to ComodoCAs nor Sectigos CPS (using a > strict reading), and as such this would be an indication of a rogue > intermediate certificate authority (if that is the correct term). > > Please advise > Thanks for clarifying. Note that Sectigo is the rebranded name of Comodo CA ( https://groups.google.com/d/msg/mozilla.dev.security.policy/Feh5Xk95mtM/JzINdTT7AwAJ ), as the same entity. I want to make sure I follow your point: Your new remark is that there's nothing amiss with CAA, but you're concerned that Sectigo's CPS does not enumerate all of the intermediates they use to issue, by virtue of not enumerating their subject names within Appendix C, which is cross-referenced by Section 7.1. Is that correct? CAs are not presently required to disclose those profiles in that detail, but it sounds as if the issue is that Sectigo did not update the CP/CPS following the rebrand. Does that match your understanding of the issue? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
