Certinomis: Unqualified Domain Name in SAN
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: wthayer, Assigned: marc.maitre)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Reporter | ||
Comment 5•7 years ago
|
||
Comment 6•7 years ago
|
||
Marc: It's been nearly two weeks. Do you have an update?
Updated•7 years ago
|
Reporter | ||
Comment 7•6 years ago
|
||
Francois: We are still awaiting a response from Certinomis to comment #3
Comment 8•6 years ago
|
||
Hello,
there are several decision that had been taken and are on the point to be effective :
- a function has been developed for checking revocations : every night a list of revoked SSL certificates will extracted and send to Certinomis management for checking regularly revocation reasons (as there are few revocations we are confident that it will remain an acceptable load of work), planned for mid march.
- automatic pre-issuance controls of domain names validity have been strenghthened so that regsitration operators have no latitude in that matter.
- a post issuance linting of issued certificates will be performed every day by an internal audit team, different from the operational one, planned for mid march.
- in a longer perspective (no less than six months) we plan to implement a pre-issuance linting on the PKI software.
Kind Regards,
François
Reporter | ||
Comment 9•6 years ago
|
||
I'm setting the next update for this bug to mid-March when the nightly revocation check is planned
Francois: thank you for the update. Do you mean that it will be longer than 6 months before Certinomis will implement pre-issuance linting? If so, why will it wait so long?
Comment 10•6 years ago
|
||
Hello Wayne,
We have to ugrade the PKI software version before connecting the linter to it.
And our team is already engaged in some heavy projects, which means the upgrade of version cannot be started presently.
If we try to do too many things at the same time I fear the result would not reach our expectations.
Kind Regards,
François
Reporter | ||
Comment 11•6 years ago
|
||
Has the "function for checking revocations" been deployed to production yet? If it has, why was this bug not updated to reflect that change?
Comment 12•6 years ago
|
||
Dear wayne,
here is the status report for the three changes announced last month :
- checking revocation has been rejected in testing phase and now corrected; the new version has been delivered for testing and I believ I will be happy soon to annouve it is in production;
- automatic pre-issuance couldn't be deployed either, we have to fix it;
- post issuance linting is working and has already enabled us to react immediatley on an errors.
Kind regards,
François
Reporter | ||
Comment 13•6 years ago
|
||
The Certinomis Root CA is being removed from the Mozilla root store in bug 1552374, so I am resolving this bug. Additional comments that may be useful when considering any future application by Certinomis are welcome.
Updated•3 years ago
|
Updated•2 years ago
|
Description
•