Q: I suppose my question is what specific operational changes have been made on your side since then so that the inability to fulfill the baseline requirements won't remain an issue were you to be part of Mozilla's program?
Mr Kurt, as I explained earlier, the wrong emissions were initial, the rules for us were from ICP-Brasil. After the incident, it was also clear to the RAIZ CA that we should just follow the BR SSL rules for SERPRO SSL CA. So we've made the necessary tweaks to the CA software for that. Since then, we have continued to carry out matching emissions within the BR SSL rules. In addition, as previously written, we use Cachecker to help us make immediate analyzes if we are infringing any BR SSL rule and, if necessary, adjust the CA software. We understand that the improvement process is continuous. Em quinta-feira, 8 de dezembro de 2022 às 14:21:15 UTC-3, [email protected] escreveu: > On Thu, Dec 8, 2022 at 7:57 AM Lucia Castelli <[email protected]> wrote: > >> Now I understand better. Thanks for rephrasing the question. >> What happened was that we started using the CACHECKER "first" instead of >> waiting for the Root CA to be alerted to wrong certificates. >> We always aim to only use CA SSL/TLS software in compliance with BR SSL >> requirements. >> > > 1) What is CACHECKER exactly (a service? software?) > > 2) How were you validating control of the DNS domains if you weren't > ensuring you were only issuing certificates to DNS names? Because you > issued many certificates to urls, single names and so on spanning months. > > > > >> We understand that we need to respect the rules about the time for >> revocation, and we started intensify this issue even more if we are >> accepted in root programs. >> Well, as I read the bugzillas daily, I see that even today there are >> still CAs, that are in the program, and also have problems, keeping the >> revocation time within the rules. >> > > So to confirm: you're promising to do better once accepted into the root > program? But you're not willing to show that you can and will do this prior > to being accepted? > > >> We assume that we have rules to resolve issues and not remain impartial. >> Thanks about your question.l >> >> Em quinta-feira, 8 de dezembro de 2022 às 11:48:38 UTC-3, >> [email protected] escreveu: >> >>> Hello: >>> >>> regarding this: >>> >>> >>> >>>> 2 - As I explained earlier, we had problems with the SAN of all these >>>> certificates, alerted by Mozilla to our Root CA, as the Root CA rules >>>> overlapped the BR SSL rules. >>>> >>> Unfortunately, due to the very large number of certificates, it was not >>>> possible to fulfill what is expected(24 hours timeline), both from the BR >>>> SSL regulations and what we reflect in our regulations (CPS). >>>> >>>> These revocations, unfortunately, lasted much longer than expected. >>>> >>>> We understand that we would not, yet, be infringing the rules, because >>>> our certificate is not in the Mozilla program. >>>> >>> I suppose my question is what specific operational changes have been >>> made on your side since then so that the inability to fulfill the baseline >>> requirements won't remain an issue were you to be part of Mozilla's program? >>> >>> >> -- >> > You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org?utm_medium=email&utm_source=footer> >> . >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/68a75a21-6174-43cf-a685-100fb8078638n%40ccadb.org.
