Closed Bug 1368176 Opened 2 years ago Closed 2 years ago

DigiCert: Non-audited, non-technically-constrained intermediate certs

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: jeremy.rowley)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 file)

According to the CCADB, the following intermediate certificates are not audited and are not technically constrained.

Belgium Root CA3, F7:5A:4D:49:A5:2B:04:3F:C7:32:4B:8F:26:3A:C8:A9:B7:BD:22:A3:28:86:85:88:BD:FC:93:7D:3C:39:6E:B6

Belgium Root CA2, CF:FA:9C:01:EC:59:C2:9E:71:8D:0D:D0:EF:54:79:F0:9B:51:C9:57:80:AF:B7:BD:69:D3:C8:05:4A:FE:4D:28

Belgium Root CA4, 84:60:CC:AE:A9:1B:0E:80:5A:B5:1C:7C:D4:6D:DF:2E:8C:1C:49:48:06:D8:8B:1F:E2:ED:31:3D:1D:48:7E:2E

ABB Intermediate CA 3 - cd79, 96:EF:33:C2:4A:8B:1F:16:CF:17:0F:43:22:1E:17:E6:2A:FF:69:0A:8B:01:4F:24:52:9B:FE:B3:8F:40:A0:DA

Belgium Root CA3, A8:D1:4E:94:5E:3E:51:56:BC:AE:5E:39:73:7C:F6:A1:B1:F5:10:28:BB:BF:98:2F:50:CE:5F:4C:05:56:8B:4D

Belgium Root CA4, C3:FB:F3:72:59:AF:09:54:EE:EA:42:82:DD:1C:72:26:A5:4E:71:50:F7:C2:9A:2C:49:5B:A3:4D:BF:E0:9C:A0

Eurida Primary CA, 08:03:53:74:71:C7:4F:EF:40:09:98:69:6D:34:62:CB:0B:89:52:4E:BD:D3:70:FE:00:51:90:0A:14:48:51:27
Assignee: kwilson → jeremy.rowley
Audit statements have been received for the "Belgium Root CA*" CA hierarchies. Now we are waiting for the audit statements to be either provided online or via Bugzilla, and then their corresponding CCADB records updated. 

The ABB and Eurida certs are technically constrained but don't quite meet the Baseline Requirements in this area (ABB has the IPv6 constraint incorrect, and Eurida doesn't have an EKU even though it is name constrained). Since Firefox treats these as technically constrained I am granting an exception to both of these. In order to stop notifications about these, I have checked the "...Same as Parent" boxes and noted the exception in the "Comments" field.
We are working with ABB and NET Norway (Eurida) to sunset these two CAs that do not have recent audits. The issue is that these two CA certificates are technically constrained with minor errors--ABB is not IPv6 constrained and we replaced the Eurida CA last year with name constraints and IP constraints, but we overlooked a sentence in the Baseline Requirements, which said there needed to be an EKU specified.  Both of these CAs have ceased issuance, and they are now in a sunsetting period, so I agree with Kathleen's decision to check the "...Same as Parent" boxes and note the situation in the "Comments" field.
Webtrust for CAs seal and report are available @ https://cert.webtrust.org/ViewSeal?id=2258
Audit Report for SSL Baseline Requirements with Network Security has been shared with @jeremy for CCADB upload.
Thanks!
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.