On Tue, 5 Feb 2019 at 16:58, Ryan Sleevi <r...@sleevi.com> wrote: > > On Tue, Feb 5, 2019 at 6:37 AM Matthias van de Meent > <matthias.vandeme...@cofano.nl> wrote: >> >> I agree that sectigo hosts a CPS which meets the requirements for them >> to issue a certificate for the website. The issue is different here, >> though. >> >> The apparent signee (ComodoCA/Sectigo) has issued their CPS here >> (https://sectigo.com/legal , https://www.comodoca.com/en-us/legal/ ), >> latest version both being 4.2, which mentions (in section 7.1.1 >> <Certificate Profile, Certificate Versions>) that the certificates >> will be issued according based on the CPS, Appendix C, which only >> includes 'O=Comodo Limited'-, 'O=Comodo CA Limited'- and 'O=The >> USERTRUST Network'-issuer certificates. >> >> As the signee of my certificate is not included in any way or form in >> the CPS of neither ComodoCA nor Sectigo, this would _not_ qualify as a >> certificate signed according to ComodoCAs nor Sectigos CPS (using a >> strict reading), and as such this would be an indication of a rogue >> intermediate certificate authority (if that is the correct term). >> >> Please advise > > > Thanks for clarifying. Note that Sectigo is the rebranded name of Comodo CA ( > https://groups.google.com/d/msg/mozilla.dev.security.policy/Feh5Xk95mtM/JzINdTT7AwAJ > ), as the same entity. > > I want to make sure I follow your point: Your new remark is that there's > nothing amiss with CAA, but you're concerned that Sectigo's CPS does not > enumerate all of the intermediates they use to issue, by virtue of not > enumerating their subject names within Appendix C, which is cross-referenced > by Section 7.1. Is that correct?
That is correct. The CPS enumerate subject names as were it a conclusive list, in multiple sections (1.4.1, Appendix C and Appendix D - which is not mentioned throughout the CPS). Apparently this is not the case, but a conclusive list can only be obtained using certificate transparency logs and certificate authority repositories. Then there is still no information about what policies are applied to said certificates, as the table in 1.4.1 does not include said subject names. > CAs are not presently required to disclose those profiles in that detail, but > it sounds as if the issue is that Sectigo did not update the CP/CPS following > the rebrand. Does that match your understanding of the issue? That is indeed my understanding. I've now read that there will be a post-rebrand CPS, so I hope that this gap in documentation will be resolved soon. In the meantime, does this qualify as a nonconformance according to point 7.1.4 in the mozilla certificate policy -- a Certificate Policy and Certification Practice Statement (or links to a CP and CPS) or equivalent disclosure document(s) for the CA or CAs in question --? Using a strict reading, the CPS linked to in the issued certificate does not cover the certificate (in a strict reading) by not having CP/CPS information about the CA in question. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
