On Tue, Feb 5, 2019 at 11:55 AM Matthias van de Meent via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On Tue, 5 Feb 2019 at 16:58, Ryan Sleevi <r...@sleevi.com> wrote: > > > CAs are not presently required to disclose those profiles in that > detail, but it sounds as if the issue is that Sectigo did not update the > CP/CPS following the rebrand. Does that match your understanding of the > issue? > > That is indeed my understanding. > > I've now read that there will be a post-rebrand CPS, so I hope that > this gap in documentation will be resolved soon. > > In the meantime, does this qualify as a nonconformance according to > point 7.1.4 in the mozilla certificate policy -- a Certificate Policy > and Certification Practice Statement (or links to a CP and CPS) or > equivalent disclosure document(s) for the CA or CAs in question --? > Using a strict reading, the CPS linked to in the issued certificate > does not cover the certificate (in a strict reading) by not having > CP/CPS information about the CA in question. > > Section 7.1 covers "Inclusions" - the process of getting a root certificate added to Mozilla's program. Since the USERTrust RSA Certification Authority is already in the program, this section isn't applicable to the current situation. For this to qualify as a non-conformance under Mozilla policy, I think we would first need to require CAs to list all CA certificates covered by the CPS in the document. I'm unable to locate an example, but I am fairly confident that not all CAs do this currently. I would be interested to know if others think that we should or should not add such a requirement to our policy. On a more practical level, Sectigo's own crt.sh service exposes the information that CAs disclose about CA certificates in CCADB. On the Audit details row you can see that Sectigo has disclosed that this new intermediate is governed by their existing CPS: https://crt.sh/?id=924467861 - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy