We are curious why our cross-roots are showing up on the list? Can you share the logic on why these are appearing on the report? As far as our reviews are concerned, we see that all of these cross-roots are properly disclosed and have covering audits. We also see that you have listed CAs where there is a different audit for the issuing CA than the audit that covers the root and the intermediate CA. We have reviewed the audits we have posted on CCADB for the non-TLS CAs and we find we have accurately disclosed the division of responsibility between our external CA operators who control the issuing CA under their own qualifying audit, and our audits which cover the Root and the intermediate CA which we operate in an offline manner.
Thank you, Brenda Bernal DigiCert On 7/24/19, 9:42 AM, "dev-security-policy on behalf of Rob Stradling via dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf of dev-security-policy@lists.mozilla.org> wrote: [Wearing Sectigo hat] Andrew, thanks for filing [1]. Sectigo will provide a full response on that bug, but I'll just note here that we have updated the CCADB records for the cross-certificates such that the Audit and CP/CPS details are now consistent with the Web.com roots. As it happens, I was already aware of this inconsistency, but I'd delayed fixing it so that I could use it as a test case for... [Wearing crt.sh hat] https://crt.sh/mozilla-disclosures now has two new buckets: - Disclosed, but with Inconsistent Audit details - Disclosed, but with Inconsistent CP/CPS details (I started discussing this new feature with Kathleen, Wayne and Sleevi off-list a few months ago, but I was not able to finish implementing it until a few days ago). I've also made the checks for the "Disclosure Incomplete" bucket stricter. Missing/incomplete disclosures of BR and/or EV audits are now flagged. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060 On 18/07/2019 21:46, Andrew Ayer via dev-security-policy wrote: > On Thu, 18 Jul 2019 11:40:31 -0700 > Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of >> a bit of discussion. > > There's a third bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1567062 > > Like the GoDaddy case, the intermediate supposedly having the same > CP/CPS/audits as parent is not listed in the parent's audit report, so > this too looks like an incorrect disclosure. > > Regarding Sectigo and Web.com, although their CPSes use extremely > similar language, they are not consistent, since they list different > CAA domains. > > Regards, > Andrew -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy