Re: Audit Letter Validation (ALV) on intermediate certs in CCADB
All, As Ryan points out, root store operators enforce the BRs in different ways. Ryan wrote: > (Writing in an official capacity for the Google/Chrome Root Program) > > Our expectation is that CAs will be filing incident reports for: > 1) The failure to include and document as in-scope within the relevant > audit > 2) If the CA fails to revoke within the time period required by the > BRs, > the failure to revoke within the BR time period > > As two separate reports. > > We encourage CAs to carefully examine these reports and provide > updates as > to their planned revocations. My understanding is that Google’s root store expectations differ from Mozilla’s root store expectations regarding handling of non-technically-constrained intermediate certificates missing BR audits in 2 ways. 1) Mozilla is currently okay with the incident report for not revoking the non-BR-audited non-technically-constrained intermediate certificates to be handled in the same Bugzilla bug as the missing-audits incident report. However, I interpret Ryan’s message to mean that Google would like those to be two separate Bugzilla Bugs. Note: I will add a report to wiki.mozilla.org/CA/Intermediate_Certificates to list all of the intermediate certificates that have been added to OneCRL and their revocation status. This will enable the CA Community to identify which certificates have been added to OneCRL but are not actually revoked. 2) From Mozilla’s perspective, adding a non-technically-constrained intermediate certificate to Mozilla’s OneCRL (only consumed by Firefox) means that the BRs become out of scope for that certificate. So Mozilla does not require that certificate to be revoked. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
How Certificates are Verified by Firefox
If you are one of the many people who have wondered how exactly Firefox handles some aspect of certificate processing, you may be interested to know that we have recently updated the information on our wiki: https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification I hope you find this helpful. - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Audit Reminder Email Summary
Forwarded Message Subject: Summary of November 2019 Audit Reminder Emails Date: Tue, 19 Nov 2019 20:00:22 + (GMT) Mozilla: Audit Reminder CA Owner: D-TRUST Root Certificates: D-TRUST Root CA 3 2013 D-TRUST Root Class 3 CA 2 2009 D-TRUST Root Class 3 CA 2 EV 2009 Standard Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120703_D-Trust_Root_CA3_s.pdf Standard Audit Period End Date: 2018-10-07 Standard Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120702_D-Trust-Root_Class3_CA2_s.pdf Standard Audit Period End Date: 2018-10-07 Standard Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120701_D-Trust_Root_Class3_CA2_EV_s.pdf Standard Audit Period End Date: 2018-10-07 BR Audit: BR Audit Period End Date: BR Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120702_D-Trust-Root_Class3_CA2_s.pdf BR Audit Period End Date: 2018-10-07 BR Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120701_D-Trust_Root_Class3_CA2_EV_s.pdf BR Audit Period End Date: 2018-10-07 EV Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018120701_D-Trust_Root_Class3_CA2_EV_s.pdf EV Audit Period End Date: 2018-10-07 CA Comments: null Mozilla: Audit Reminder CA Owner: Microsec Ltd. Root Certificates: Microsec e-Szigno Root CA 2009 Standard Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018121301_Microsec-eSzignoRoot-CA-2009_nonEV-CAs_s.pdf Standard Audit Period End Date: 2018-09-14 BR Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/AA2018121301_Microsec-eSzignoRoot-CA-2009_nonEV-CAs_s.pdf BR Audit Period End Date: 2018-09-14 CA Comments: null Mozilla: Audit Reminder CA Owner: SwissSign AG Root Certificates: SwissSign Gold CA - G2 SwissSign Platinum CA - G2 SwissSign Silver CA - G2 Standard Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122002_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf Standard Audit Period End Date: 2018-09-28 Standard Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122001_Audit_Attestation_TA_CERT__SwissSign_Platinum_G2.pdf Standard Audit Period End Date: 2018-09-28 Standard Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122003_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf Standard Audit Period End Date: 2018-09-28 BR Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122002_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf BR Audit Period End Date: 2018-09-28 BR Audit: BR Audit Period End Date: BR Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122003_Audit_Attestation_TA_CERT__SwissSign_Silver_G2.pdf BR Audit Period End Date: 2018-09-28 EV Audit: https://it-tuv.com/wp-content/uploads/2018/12/AA2018122002_Audit_Attestation_TA_CERT__SwissSign_Gold_G2.pdf EV Audit Period End Date: 2018-09-28 CA Comments: null Mozilla: Audit Reminder CA Owner: SecureTrust Root Certificates: Secure Global CA SecureTrust CA XRamp Global Certification Authority Standard Audit: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=223500 Standard Audit Period End Date: 2018-09-30 BR Audit: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=223501 BR Audit Period End Date: 2018-09-30 EV Audit: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=223502 EV Audit Period End Date: 2018-09-30 CA Comments: Changed CA Name from Trustwave to SecureTrust on February 1, 2019. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy