Closed Bug 1564544 Opened 5 years ago Closed 4 years ago

Add DarkMatter's QuoVadis Subordinate CAs to OneCRL

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: wthayer)

Details

Attachments

(1 file)

DigitalTrust - Mozilla Appeal - 2019-07-17.pdf
1.01 MB, application/pdf
Details

Pending Kathleen's approval, please add the following DarkMatter subordinate CAs to OneCRL:

DarkMatter Assured CA - D8888F4A84F74C974DFFB573A1BF5BBBACD1713B905096F8EB015062BF396C4D
DarkMatter High Assurance CA - 3AE699D94E8FEBDACB86D4F90D40903333478E65E0655C432451197E33FA07F2
DarkMatter Secure CA - A25A19546819D048000EF9C6577C4BCD8D2155B1E4346A4599D6C8B79799D4A1

This request is based on the following discussion: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ

I'd like to point out that there are three additional DarkMatter intermediates (as they have the same SPKI as the three intermediates listed by Wayne) that are revoked, but for completeness (and a lack of faith in revocation checking) should be added to OneCRL as well:

https://crt.sh/?id=417999816
https://crt.sh/?id=19415522
https://crt.sh/?id=23432430

As an aside, two of these serverAuth EKU intermediates (https://crt.sh/?id=19415522, https://crt.sh/?id=23432430) were reported to Digicert in a Certificate Problem Report in February for incorrect syntax (leading "." in dNSName) in the nameConstraints extension. To my knowledge, no incident report was ever filed about these mis-issuances by Digicert, nor was any follow-up received to the initial report.

Here's what CCADB has for the 6 relevant intermediate certs...

Certificate Subject Common Name SHA-256 Fingerprint Revocation Status OneCRL Status
DarkMatter Assured CA 60F066DC78A4E2E929A1C8ED102EDB707DF03181F82FDF50D53A52DAC355C65B Revoked Added to OneCRL
DarkMatter High Assurance CA E0A670F4F1057E9179E9DB45E333CE37E3EE31C3499F1C584A587BD9A5F53640 Revoked Added to OneCRL
DarkMatter Secure CA A019811E4369CA4C62AAA80A1549613E60F6C5CED383AF9D79DF8F8F193F1DFE Revoked Added to OneCRL

DarkMatter Assured CA D8888F4A84F74C974DFFB573A1BF5BBBACD1713B905096F8EB015062BF396C4D Not Revoked -
DarkMatter High Assurance CA 3AE699D94E8FEBDACB86D4F90D40903333478E65E0655C432451197E33FA07F2 Not Revoked -
DarkMatter Secure CA A25A19546819D048000EF9C6577C4BCD8D2155B1E4346A4599D6C8B79799D4A1 Not Revoked -

(In reply to Wayne Thayer [:wayne] from comment #0)

Pending Kathleen's approval, please add the following DarkMatter subordinate CAs to OneCRL:

DarkMatter Assured CA - D8888F4A84F74C974DFFB573A1BF5BBBACD1713B905096F8EB015062BF396C4D
DarkMatter High Assurance CA - 3AE699D94E8FEBDACB86D4F90D40903333478E65E0655C432451197E33FA07F2
DarkMatter Secure CA - A25A19546819D048000EF9C6577C4BCD8D2155B1E4346A4599D6C8B79799D4A1

This request is based on the following discussion: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ

Approved.

Reference:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/JIBk4fECDwAJ

Assignee: kwilson → wthayer

DigitalTrust's appeal to the Mozilla decision

(In reply to Scott Rea from comment #4)

Created attachment 9078859 [details]
DigitalTrust - Mozilla Appeal - 2019-07-17.pdf
DigitalTrust's appeal to the Mozilla decision

Mozilla's Top Level Module Committee denied this appeal:
https://groups.google.com/d/msg/mozilla.dev.security.policy/W7sQUNMRACs/C-GtUyC4BwAJ

These certs were added to OneCRL via Bug #1622034.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: