On Wed, Jul 18, 2018 at 1:56 PM Wayne Thayer <wtha...@mozilla.com> wrote:
> I would like to begin a 3-week public discussion period for InfoCert's > acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla > Root Store Policy. I believe that the intent of our policy in this scenario > is to identify and consider any risks introduced by the acquisition of > Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a > new CA. In that context, I will appreciate everyone's constructive input on > issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I > have included some additional information below. > > - Wayne > > Camerfirma answered the questions that I posed [2] about this acquisition > as follows: > > <snip> > > Camerfirma has one open compliance bug [5] requesting full audit > information for a subordinate CA. > > Camerfirma has supplied the audit information for this subordinate CA. Camerfirma also recently issued two intermediates that were not disclosed within the required week [8][9]. Camerfirma's 2018 audit statements are overdue - the prior period ended on > 14-April 2017, and new statements have not yet been supplied to Mozilla. > Last year's statements are still listed on the Camerfirma website [6]. > > Camerfirma has supplied their 2018 audit reports: https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 The WebTrust, BR, and EV reports all contain multiple qualifications. I would summarize the qualifications as follows: * Inconsistencies and omissions in CP/CPS documents which I would consider relatively minor. * Misissuances. The reports appear to be referring to those documented in bugs 1357067, 1390977, 1405815, 1431164, and 1443857. * Misissuance for "wildcard to immediate left of public suffix in SAN" was also reported. I found [10] but since those are for the .sener brand TLD, it is possible that Camerfirma issued them in compliance with BR 3.2.2.6. * Not meeting the BR requirement to revoke within 24 hours, presumably referencing bug 1390977. *The revocation time differs between the OCSP service and CRL for a few certificates, and the OCSP service responds "good" for some certificates revoked according to the CRL. * Failure to begin investigations of problem reports within 24 hours. * Failure to self-audit at least 3% of issued certificates each quarter. <snip> [1] > https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/ > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854 > [4] > https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147 > [6] https://www.camerfirma.com/camerfirma/acreditaciones/ > [7] > http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf > [8] > https://crt.sh/?sha256=06a57d1cd5879fba2135610dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=mozilladisclosure [9] > https://crt.sh/?sha256=1defd59846cc2049ba1f1a74d3a8329d1357a2d47c1e1b0c15c27a8c60295455&opt=mozilladisclosure > [10] https://crt.sh/?cablint=319&iCAID=1778&minNotBefore=2017-01-01 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
