Hi Ryan Camerfirma is working writing a complete answer to Ben comunicación. Ben has been informed from the first day. Hope we can send it in the next days.
Regards Ramiro Obtener Outlook para Android<https://aka.ms/ghei36> ________________________________ De: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> en nombre de Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> Enviado: jueves, 10 de diciembre de 2020 21:44 Para: Ben Wilson Cc: mozilla-dev-security-policy Asunto: Re: Summary of Camerfirma's Compliance Issues Hi Ben, This is clearly a portrait of a CA that, like those that came before [1][2][3][4], paint a pattern of a CA that consistently and regularly fails to meet program requirements, in a way that clearly demonstrates these are systemic and architectural issues. As with Symantec, we see a systematic failure to appropriately supervise RAs and Sub-CAs. As with Procert, we see systemic technical failures continuing to occur. We also see problematic practices here of revocations happening without a systemic examination about why, which leads them to overlook incident reports. As with Visa, we see significant issues with their audits that are fundamentally irreconcilable. As called out in [5] (Issue JJ), short of distrusting their certificates, there isn't a path forward here. I'm concerned that there's been no response from Camerfirma, even acknowledging this publicly, as is the norm. I wanted to give a week, even to allow for a simple acknowledgement, since Mozilla Policy requires that CAs MUST follow and be aware of discussions here, above and beyond your direct communication with them pointing this out. Given that there haven't been corrections proposed yet, is it appropriate to begin discussing what next steps should be to protect users? [1] https://wiki.mozilla.org/CA:PROCERT_Issues [2] https://wiki.mozilla.org/CA:Visa_Issues [3] https://wiki.mozilla.org/CA:Symantec_Issues [4] https://wiki.mozilla.org/CA:WoSign_Issues [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1583470#c3 On Thu, Dec 3, 2020 at 1:01 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > > We have prepared an issues list as a summary of Camerfirma's compliance > issues over the past several years. The purpose of the list is to collect > and document all issues and responses in one place so that an overall > picture can be seen by the community. The document is on the Mozilla wiki: > https://wiki.mozilla.org/CA:Camerfirma_Issues. > <https://wiki.mozilla.org/CA:Camerfirma_Issues> > > I will now forward the link above to Camerfirma to provide them with a > proper opportunity to respond to the issues raised and to ask that they > respond directly in m.d.s.p. with any comments, corrections, inputs, or > updates that they may have. > > If anyone in this group believes they have an issue appropriate to add to > the list, please send an email to certifica...@mozilla.org. > > Sincerely yours, > Ben Wilson > Mozilla Root Program > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
