Closed
Bug 1368176
Opened 7 years ago
Closed 7 years ago
DigiCert: Non-audited, non-technically-constrained intermediate certs
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: jeremy.rowley)
Details
(Whiteboard: [ca-compliance] [disclosure-failure] [audit-failure])
Attachments
(1 file)
According to the CCADB, the following intermediate certificates are not audited and are not technically constrained. Belgium Root CA3, F7:5A:4D:49:A5:2B:04:3F:C7:32:4B:8F:26:3A:C8:A9:B7:BD:22:A3:28:86:85:88:BD:FC:93:7D:3C:39:6E:B6 Belgium Root CA2, CF:FA:9C:01:EC:59:C2:9E:71:8D:0D:D0:EF:54:79:F0:9B:51:C9:57:80:AF:B7:BD:69:D3:C8:05:4A:FE:4D:28 Belgium Root CA4, 84:60:CC:AE:A9:1B:0E:80:5A:B5:1C:7C:D4:6D:DF:2E:8C:1C:49:48:06:D8:8B:1F:E2:ED:31:3D:1D:48:7E:2E ABB Intermediate CA 3 - cd79, 96:EF:33:C2:4A:8B:1F:16:CF:17:0F:43:22:1E:17:E6:2A:FF:69:0A:8B:01:4F:24:52:9B:FE:B3:8F:40:A0:DA Belgium Root CA3, A8:D1:4E:94:5E:3E:51:56:BC:AE:5E:39:73:7C:F6:A1:B1:F5:10:28:BB:BF:98:2F:50:CE:5F:4C:05:56:8B:4D Belgium Root CA4, C3:FB:F3:72:59:AF:09:54:EE:EA:42:82:DD:1C:72:26:A5:4E:71:50:F7:C2:9A:2C:49:5B:A3:4D:BF:E0:9C:A0 Eurida Primary CA, 08:03:53:74:71:C7:4F:EF:40:09:98:69:6D:34:62:CB:0B:89:52:4E:BD:D3:70:FE:00:51:90:0A:14:48:51:27
Reporter | ||
Updated•7 years ago
|
Assignee: kwilson → jeremy.rowley
Reporter | ||
Comment 1•7 years ago
|
||
Audit statements have been received for the "Belgium Root CA*" CA hierarchies. Now we are waiting for the audit statements to be either provided online or via Bugzilla, and then their corresponding CCADB records updated. The ABB and Eurida certs are technically constrained but don't quite meet the Baseline Requirements in this area (ABB has the IPv6 constraint incorrect, and Eurida doesn't have an EKU even though it is name constrained). Since Firefox treats these as technically constrained I am granting an exception to both of these. In order to stop notifications about these, I have checked the "...Same as Parent" boxes and noted the exception in the "Comments" field.
Comment 2•7 years ago
|
||
We are working with ABB and NET Norway (Eurida) to sunset these two CAs that do not have recent audits. The issue is that these two CA certificates are technically constrained with minor errors--ABB is not IPv6 constrained and we replaced the Eurida CA last year with name constraints and IP constraints, but we overlooked a sentence in the Baseline Requirements, which said there needed to be an EKU specified. Both of these CAs have ceased issuance, and they are now in a sunsetting period, so I agree with Kathleen's decision to check the "...Same as Parent" boxes and note the situation in the "Comments" field.
Comment 3•7 years ago
|
||
Webtrust for CAs seal and report are available @ https://cert.webtrust.org/ViewSeal?id=2258 Audit Report for SSL Baseline Requirements with Network Security has been shared with @jeremy for CCADB upload.
Comment 4•7 years ago
|
||
As per Kathleen's request.
Reporter | ||
Comment 5•7 years ago
|
||
Thanks!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: NSS → CA Program
Updated•1 year ago
|
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure] [audit-failure]
You need to log in
before you can comment on or make changes to this bug.
Description
•