Closed Bug 1230797 Opened 9 years ago Closed 9 years ago

Distrust ISRG Subordinate Certificate and Remove It Until the CA is Compliant with Mozilla Policies

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: support, Assigned: kathleen.a.wilson)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Mozilla CA Certificate Inclusion Policy requires a not technically constrained subordinate CA to be publicly disclosed and audited.

A formal audit is missing, it has been announced for November 2015, but there is still only a readiness assessment.
Depends on: 1204656
A PITRA (point-in-time readiness assessment) is sufficient to begin issuing if the formal audit follows in a timely fashion. It's not possible to have a formal audit of the issuance process unless you are issuing; requiring it to begin issuance would lead to a chicken-and-egg problem.

Gerv
Which timeframe is a timely fashion? Wasn't there a beta phase to have evidence of the issue process yet?
Please see what's in the Mozilla wiki about BR audits, in particular:

https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit

> *Note that the CA's first Baseline Requirements audit may be a Point in Time audit.*
> ...
> To clarify, if the root certificate is not yet in production and is not yet issuing certificates to customers, then a Point in Time Readiness Assessment of BR compliance (BR PITRA) may be used.  

The normal timeline for audits is annual, so this reads to me to mean that they have up to a year to have a full audit done.  In addition, as Gerv notes, a full audit requires the CA to have been in operation for some time (60 days is mentioned in the above document), so one would not expect a full audit to be available until at least several months after a new CA started issuance.  Given that Let's Encrypt only started issuing in September, it seems they are still within the window of "timely fashion".
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
(In reply to Gervase Markham [:gerv] from comment #2)
> A PITRA (point-in-time readiness assessment) is sufficient to begin issuing
> if the formal audit follows in a timely fashion. It's not possible to have a
> formal audit of the issuance process unless you are issuing; requiring it to
> begin issuance would lead to a chicken-and-egg problem.

I believe the requirement is set as followed in section 8.1:

If the CA does not have a currently valid Audit Report indicating compliance with one of the audit schemes listed in Section 8.1, then, before issuing Publicly-Trusted Certificates, the CA SHALL successfully complete a point-in-time readiness assessment performed in accordance with applicable standards under one of the audit schemes listed in Section 8.1. The point-in-time readiness assessment SHALL be completed no earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates and SHALL be followed by a complete audit under such scheme *within ninety (90) days* of issuing the first Publicly-Trusted Certificate.

My interpretation is that the CA MUST provide a complete audit WITHIN 90 days after issuing the first certificate.
well the first open cert that was issued was for https://helloworld.letsencrypt.org/ and conveniently they are valid for 90 days, which is the time to complete the full audit, and the cert expires on friday dec 12, 20:22:00 GMT so they still have some days to finish their audit, even though I doubt it will be finished until then.
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.