We are curious why our cross-roots are showing up on the list? Can you share the logic on why these are appearing on the report? As far as our reviews are concerned, we see that all of these cross-roots are properly disclosed and have covering audits. We also see that you have listed CAs where there is a different audit for the issuing CA than the audit that covers the root and the intermediate CA. We have reviewed the audits we have posted on CCADB for the non-TLS CAs and we find we have accurately disclosed the division of responsibility between our external CA operators who control the issuing CA under their own qualifying audit, and our audits which cover the Root and the intermediate CA which we operate in an offline manner.
Thank you,
Brenda Bernal
DigiCert
On 7/24/19, 9:42 AM, "dev-security-policy on behalf of Rob Stradling via
dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf
of dev-security-policy@lists.mozilla.org> wrote:
[Wearing Sectigo hat]
Andrew, thanks for filing [1]. Sectigo will provide a full response on
that bug, but I'll just note here that we have updated the CCADB records
for the cross-certificates such that the Audit and CP/CPS details are
now consistent with the Web.com roots. As it happens, I was already
aware of this inconsistency, but I'd delayed fixing it so that I could
use it as a test case for...
[Wearing crt.sh hat]
https://crt.sh/mozilla-disclosures now has two new buckets:
- Disclosed, but with Inconsistent Audit details
- Disclosed, but with Inconsistent CP/CPS details
(I started discussing this new feature with Kathleen, Wayne and Sleevi
off-list a few months ago, but I was not able to finish implementing it
until a few days ago).
I've also made the checks for the "Disclosure Incomplete" bucket
stricter. Missing/incomplete disclosures of BR and/or EV audits are now
flagged.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060
On 18/07/2019 21:46, Andrew Ayer via dev-security-policy wrote:
> On Thu, 18 Jul 2019 11:40:31 -0700
> Wayne Thayer via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
>
>> Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of
>> a bit of discussion.
>
> There's a third bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1567062
>
> Like the GoDaddy case, the intermediate supposedly having the same
> CP/CPS/audits as parent is not listed in the parent's audit report, so
> this too looks like an incorrect disclosure.
>
> Regarding Sectigo and Web.com, although their CPSes use extremely
> similar language, they are not consistent, since they list different
> CAA domains.
>
> Regards,
> Andrew
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
