A publicly trusted CA is expected to demonstrate technical competence around validation, issuance, and security of their infrastructure. When non-compliant issuance occurs the community should expect any well operated CA to rapidly detect, remediate the issue, and perform a root cause analysis focused on how to prevent that entire class of problems in the future.
Issues E and F argue that Certinomis is technically incapable of operating a certificate authority in compliance with the expectations we have for such trust. In issue E we see non-compliance with a BR requirement for OCSP responder behavior for over 4 years. Incidentally, the requirement in question was explicitly added to the BRs in response to a major CA security incident. Issue F lists a pattern of repeated misissuance that suggests repeated human typos with no systemic improvement. Similarly, issues A through D show an apparent disinterest in policy, compliance, and communications. Issuing a cross-certification for a CA that was in the middle of major sanctions, having repeated audit gaps, ignoring Mozilla root store policies for years, and generally declining to engage with the community to help resolve these issues is not the action of an organization that understands the responsibility of being a CA. I believe the issues highlighted by Mozilla represent, in aggregate, extremely strong evidence that Certinomis is unfit to operate a trusted certificate authority. -Paul On April 17, 2019 at 2:44:44 AM, Wayne Thayer via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: Mozilla has decided that there is sufficient concern [1] about the activities and operations of the CA Certinomis to collect together a list of issues. That list can be found here: https://wiki.mozilla.org/CA/Certinomis_Issues Note that this list may expand or contract over time as issues are investigated further, with information either from our or our community's investigations or from Certinomis. We expect Certinomis to engage in a public discussion of these issues and give their comments and viewpoint. We also hope that our community will make comments, and perhaps provide additional information based on their own investigations. When commenting on these issues, please clearly state which issue you are addressing on each occasion. The issues have been given identifying letters and numbers to help with this. At the end of a public discussion period between Mozilla, our community, and Certinomis, which we hope will be no longer than a couple of weeks, Mozilla will move to make a decision about how to respond to these concerns, based on the picture which has then emerged. - Wayne [1] https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Recurring_Issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
