Request to Include certSIGN Root CA G2 certificate
This request is for inclusion of the certSIGN Root CA G2 certificate and to turn on the Websites trust bit and for EV treatment. The request is documented in Bugzilla and in the CCADB as follows: https://bugzilla.mozilla.org/show_bug.cgi?id=1403453 https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0403 (Summary of info gathered and verified, URLs for test websites, etc.) * certSIGN’s BR Self Assessment is here: https://bugzilla.mozilla.org/attachment.cgi?id=9052673 The Certsign document repository can be found here: https://www.certsign.ro/en/certsign-documents/policies-procedures * Root Certificate Locations: http://crl.certsign.ro/certsign-rootg2.crt http://registru.certsign.ro/certcrl/certsign-rootg2.crt http://www.certsign.ro/certcrl/certsign-rootg2.crt https://crt.sh/?q=657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 https://censys.io/certificates/657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305/pem * EV Policy OID: 2.23.140.1.1 * CRL URL: http://crl.certsign.ro/certsign-rootg2.crl * OCSP URL: http://ocsp.certsign.ro * Audit: See https://bugzilla.mozilla.org/attachment.cgi?id=9142635 ( http://lsti-certification.fr/images/LSTI_Audit_Atttestation_Letter_1612-163_V10_Certsign_S.pdf) which shows that a recent annual audit was performed on the certSIGN Root CA G2 by LSTI Group according to ETSI EN 319 411-2, V2.2.2 (2018-04)”, “ETSI EN 319 411-1, V1.2.2 (2018-04)” and “ETSI EN 319 401, V2.2.1 (2018-04)” as well as the CA/Browser Forum’s “EV SSL Certificate Guidelines, version 1.7.1” and “Baseline Requirements, version 1.6.7” considering the requirements of the “ETSI EN 319 403, V2.2.2 (2015-08)” for the Trust Service Provider Conformity Assessment. * CP/CPS Review Ryan Sleevi conducted a preliminary review the PKI Disclosure Statement and CPS - https://bugzilla.mozilla.org/show_bug.cgi?id=1403453#c13 I followed up, and now Comment #24 in Bugzilla shows the latest responses from Certsign - https://bugzilla.mozilla.org/show_bug.cgi?id=1403453#c24 This begins the 3-week comment period for this request. I will greatly appreciate your thoughtful and constructive feedback on the acceptance of this root into the Mozilla CA program. Thanks, Ben ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Sectigo: Failure to revoke certificate with compromised key
> > The necessary evidence was provided to Sectigo and they have thus far > > failed to deal with the evidence or clearly articulate reasons for > > concluding this case to not be a compromise. > > What I've found works best when reporting these cases to m.d.s.p is to > provide all the (substantive) correspondence, exactly as it was > sent/received, along with UTC timestamps. That allows for independent > assessment that Sectigo has, in fact, fallen down on the job, rather than it > being possible that there's just a big ol' misunderstanding going on. > Here's an example of the sort of thing I mean: > > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wtM7 > uX1stIA > > - Matt I can see the report in to our problem reporting mailbox (sslab...@sectigo.com) and the ticket on our side. I have created https://bugzilla.mozilla.org/show_bug.cgi?id=1635840 and I will follow up with an incident report in that bug. Regards Robin Alden Sectigo ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Audit Reminders for Intermediate Certs
Sorry for the delayed reply here, but in the process of being surprised that there are still CAs with delays > 90 days, I was looking through historic patterns, and noticed this CA is a repeat from the year prior. That is, this CA, https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13051.html , had the same issue last year as well, https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12100.html Should we be creating CA incidents for repeats? I wasn’t sure if this was just an administrative hiccup on the Mozilla side in processing the case, or if this is a matter where the CA is not disclosing in a timely fashion. On Tue, Mar 3, 2020 at 12:30 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Forwarded Message > Subject: Summary of March 2020 Outdated Audit Statements for > Intermediate Certs > Date: Tue, 3 Mar 2020 15:00:16 + (GMT) > > CA Owner: AC Camerfirma, S.A. > - Certificate Name: InfoCert Organization Validation CA 3 > SHA-256 Fingerprint: > 247A6D807FF164031E0EB22CA85DE329A3A4E6603DBC6203F0C6E282A9C9EA84 > Standard Audit Period End Date (mm/dd/): 12/02/2018 > BR Audit Period End Date (mm/dd/): 12/02/2018 > > > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy