On 9th July 2019, Kathleen wrote:
> I propose that to handle this situation, the CA may enter the
subordinate CA's current audit statements and use the Public Comment
field to indicate that the new certificate will be included in the next
audit statements.
Hi Kathleen. CCADB now automatically shows the following message (when
relevant) in red text at the top of each intermediate certificate page:
"This certificate was created after the audit period of the current audit
statement, so please make sure to include it in the CA's next periodic audit
statement."
Do you still expect CAs to "use the Public Comment field to indicate that the
new certificate will be included in the next audit statements"?
Or may we stop doing that now?
Thanks.
________________________________
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> on
behalf of Kathleen Wilson via dev-security-policy
<dev-security-policy@lists.mozilla.org>
Sent: 09 July 2019 22:50
To: mozilla-dev-security-pol...@lists.mozilla.org
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: New intermediate certs and Audit Statements
All,
There is some confusion about disclosure of new intermediate certs that
are issued to subordinate CAs with currently valid audit statements.
Section 5.3.2 of Mozilla's Root Store Policy says: "If the CA has a
currently valid audit report at the time of creation of the certificate,
then the new certificate MUST appear on the CA's next periodic audit
reports."
I think it is reasonable to assume that the same policy applies to
subordinate CAs, such that if the subordinate CA has a currently valid
audit report at the time of creation of a new intermediate certificate,
then the new certificate MUST appear on the subordinate CA's next
periodic audit reports.
The confusion is about how to disclose such a new intermediate
certificate in the CCADB.
I propose that to handle this situation, the CA may enter the
subordinate CA's current audit statements and use the Public Comment
field to indicate that the new certificate will be included in the next
audit statements. (Also, a quick comparison of the cert's Valid-From
date and the audit period dates will indicate this situation.)
Please let me know if you foresee any problems with this approach.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
