On Thu, Mar 14, 2019 at 4:33 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 14/03/2019 01:09, Peter Gutmann via dev-security-policy wrote: > <snip> > > I'd already asked previously whether any CA wanted to indicate publicly > that > > they were compliant with BR 7.1, which zero CAs responded to (I counted > them > > twice). > > Peter, > > Mozilla Root Store Policy section 2.3 [1] requires CAs to conform to the > latest version of the Baseline Requirements. So ISTM that until or > unless a CA publicly states that they are non-compliant with BR 7.1, we > should act as if that CA has publicly stated that they are compliant > with BR 7.1. > > FWIW though, you can find a public statement from Sectigo at [2]. > > > [1] > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#23-baseline-requirements-conformance > > [2] > > https://sectigo.com/blog/all-sectigo-public-certificates-meet-64-bit-serial-number-requirements As I posted in a related thread, we can see that both Boulder and R509 implement serial generation which conforms to BR 7.1. Both of these are open source open source CA software packages that were written by organizations that run CAs in the mozilla program. Unless the public code has different generation semantics than the production code (which would be very strange), one can surmise users of these packages are compliant. Additionally many other CAs are known to have built their own software and/or use software other than EJBCA, so making any generalization isn't really valid. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
