On Sun, 17 Jan 2021 00:51:29 -0800 (PST) Ramiro Mu__oz via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Some certificates may have been syntactically > incorrect due to misinterpretation, but we have never compromised any > vetting, identification or information validation. This is false, as shown by incidents like https://bugzilla.mozilla.org/show_bug.cgi?id=1672423 (issuing for a non-existent domain) and https://bugzilla.mozilla.org/show_bug.cgi?id=1420871 (not checking CAA), not to mention the validation failures by sub-CAs for which Camerfirma is ultimately responsible. And even misissuances that are just "syntactically incorrect" are concerning because they show a disregard for the policies that exist to prevent harm to innocent parties. It's troubling that even at this stage, Camerfirma still doesn't seem to grasp the seriousness of their compliance problems. Today, they are arguing that there was no security threat from a certificate issued for a domain without authorization because the subdomain in the certificate "does not exist": https://bugzilla.mozilla.org/show_bug.cgi?id=1672409#c8 Camerfirma was warned in 2018 that trust in their CA was in jeopardy, yet compliance problems continued. There is no reason to believe Camerfirma will improve, and there are many indications that they won't. Mozilla's users deserve CAs that take security more seriously than this. It's time to take action to protect Mozilla's users by distrusting Camerfirma. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
