Thank you Rob! These are excellent additions to this report. I'd like to ask all the CA representatives on this list to take a look at the updated report (https://crt.sh/mozilla-disclosures) and correct any issues with your company's disclosures as soon as possible.
Regarding Peter's earlier comment: > I think that the process should be updated to list CAs (subject, subject public key, subject key identifier), is addition to listing the CA certificates. It makes sense. I'll discuss this suggestion with Kathleen. For now, what I'm hearing is that the GoDaddy and Asseco cases are clearly incorrect disclosures due to the certificates not showing up on the "parent" audit statement. I think we want to continue to hold the issuing CA accountable for disclosing any cross-certificates it signs, but they need to indicate that the audit and applicable CP/CPS is that of the subject CA when that is the case. I will also consider adding guidance on this issue to https://www.ccadb.org/cas/intermediates - Wayne On Wed, Jul 24, 2019 at 9:41 AM Rob Stradling <r...@sectigo.com> wrote: > [Wearing Sectigo hat] > > Andrew, thanks for filing [1]. Sectigo will provide a full response on > that bug, but I'll just note here that we have updated the CCADB records > for the cross-certificates such that the Audit and CP/CPS details are > now consistent with the Web.com roots. As it happens, I was already > aware of this inconsistency, but I'd delayed fixing it so that I could > use it as a test case for... > > [Wearing crt.sh hat] > > https://crt.sh/mozilla-disclosures now has two new buckets: > - Disclosed, but with Inconsistent Audit details > - Disclosed, but with Inconsistent CP/CPS details > > (I started discussing this new feature with Kathleen, Wayne and Sleevi > off-list a few months ago, but I was not able to finish implementing it > until a few days ago). > > I've also made the checks for the "Disclosure Incomplete" bucket > stricter. Missing/incomplete disclosures of BR and/or EV audits are now > flagged. > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060 > > On 18/07/2019 21:46, Andrew Ayer via dev-security-policy wrote: > > On Thu, 18 Jul 2019 11:40:31 -0700 > > Wayne Thayer via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > >> Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of > >> a bit of discussion. > > > > There's a third bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1567062 > > > > Like the GoDaddy case, the intermediate supposedly having the same > > CP/CPS/audits as parent is not listed in the parent's audit report, so > > this too looks like an incorrect disclosure. > > > > Regarding Sectigo and Web.com, although their CPSes use extremely > > similar language, they are not consistent, since they list different > > CAA domains. > > > > Regards, > > Andrew > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
