Closed
Bug 1230797
Opened 9 years ago
Closed 9 years ago
Distrust ISRG Subordinate Certificate and Remove It Until the CA is Compliant with Mozilla Policies
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: support, Assigned: kathleen.a.wilson)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Reporter | ||
Comment 1•9 years ago
|
||
Mozilla CA Certificate Inclusion Policy requires a not technically constrained subordinate CA to be publicly disclosed and audited. A formal audit is missing, it has been announced for November 2015, but there is still only a readiness assessment.
Depends on: 1204656
Comment 2•9 years ago
|
||
A PITRA (point-in-time readiness assessment) is sufficient to begin issuing if the formal audit follows in a timely fashion. It's not possible to have a formal audit of the issuance process unless you are issuing; requiring it to begin issuance would lead to a chicken-and-egg problem. Gerv
Reporter | ||
Comment 3•9 years ago
|
||
Which timeframe is a timely fashion? Wasn't there a beta phase to have evidence of the issue process yet?
Comment 4•9 years ago
|
||
Please see what's in the Mozilla wiki about BR audits, in particular: https://wiki.mozilla.org/CA:BaselineRequirements#A_CA.27s_First_BR_Audit > *Note that the CA's first Baseline Requirements audit may be a Point in Time audit.* > ... > To clarify, if the root certificate is not yet in production and is not yet issuing certificates to customers, then a Point in Time Readiness Assessment of BR compliance (BR PITRA) may be used. The normal timeline for audits is annual, so this reads to me to mean that they have up to a year to have a full audit done. In addition, as Gerv notes, a full audit requires the CA to have been in operation for some time (60 days is mentioned in the above document), so one would not expect a full audit to be available until at least several months after a new CA started issuance. Given that Let's Encrypt only started issuing in September, it seems they are still within the window of "timely fashion".
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Comment 5•9 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #2) > A PITRA (point-in-time readiness assessment) is sufficient to begin issuing > if the formal audit follows in a timely fashion. It's not possible to have a > formal audit of the issuance process unless you are issuing; requiring it to > begin issuance would lead to a chicken-and-egg problem. I believe the requirement is set as followed in section 8.1: If the CA does not have a currently valid Audit Report indicating compliance with one of the audit schemes listed in Section 8.1, then, before issuing Publicly-Trusted Certificates, the CA SHALL successfully complete a point-in-time readiness assessment performed in accordance with applicable standards under one of the audit schemes listed in Section 8.1. The point-in-time readiness assessment SHALL be completed no earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates and SHALL be followed by a complete audit under such scheme *within ninety (90) days* of issuing the first Publicly-Trusted Certificate. My interpretation is that the CA MUST provide a complete audit WITHIN 90 days after issuing the first certificate.
well the first open cert that was issued was for https://helloworld.letsencrypt.org/ and conveniently they are valid for 90 days, which is the time to complete the full audit, and the cert expires on friday dec 12, 20:22:00 GMT so they still have some days to finish their audit, even though I doubt it will be finished until then.
It seems the audit has been finished: * https://letsencrypt.org/documents/LE_WebTrustforBR.pdf * https://letsencrypt.org/documents/LE_WebTrustforCA.pdf More information: https://community.letsencrypt.org/t/audits-of-lets-encrypt-finished/6518
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•