(In reply to Stephen Davidson from comment #3)
As noted elsewhere, several CAs misinterpreted the applicability to renewals of the rule regarding EKU in new intermediate certificates issued after 1 January 2019.
It would be useful if you could provide links to support this.
Of the three related bugs - Bug 1586795, Bug 1586847, and Bug 1586787 - no incident report has identified the confusion that QuoVadis is asserting. The closest I could see supporting QuoVadis' argument is Bug 1586795, but that bug clearly indicates that the issue was a lack of communication from staff about the Mozilla changes, and thus a failure to implement the change - not, as QuoVadis is asserting here, a misinterpretation about the applicability.
It is not an issue of competence, but rather a clear understanding of the requirement.
Just to highlight, this doesn't address the question raised in Comment #2, where I stated
If QuoVadis believes there was reasonable grounds for this confusion, then it'd be useful to understand how QuoVadis proposes to address this confusion in the future.
I don't see how QuoVadis is addressing this confusion in the future. It seems to be saying "We're not confused anymore on this specific issue", but this does not propose solutions for how to resolve future confusion, and thus it seems equally as likely that Policy 2.7 may be instituted, QuoVadis/DigiCert will confirm it understands, then cause a violation, state they were confused, and state that they're no longer confused. I want to understand if there are opportunities to break that cycle before it happens, because that would benefit not just QuoVadis, but all CAs.
Since the time of that renewal, the QuoVadis PKI team has been integrated into the DigiCert PKI Operations team and adopted many of their practices, including checklists and review signoffs. That process continues and, as you know, DigiCert has a serious commitment to standards development, compliance review, and continuous improvement in operations.
I am deferring this to Wayne if he'd like to close it out.
I'm deeply concerned with an approach to CA management that says "Under new management; all old issues are in the past". DigiCert has, for example, the largest number of compliance issues of any currently-trusted CAs, so I do not feel particularly reassured on this front. As it applies to the issuance of Sub-CAs, DigiCert has had a repeat number of issues regarding the issuance, auditing, and disclosure of Sub-CAs, so similarly, I don't feel particularly reassured.
I can understand and appreciate if QuoVadis does not have any further actionable details to share. I think such a non-response would be useful to consider, when considering the holistic set of issues a CA (such as QuoVadis + DigiCert) has, and how they respond to incidents. I know this seems extreme, but I want to reiterate: The point of these incident reports is
- To build confidence that the CA holistically understands the issue and has addressed it
- To develop better approaches, as an industry, to prevent such issues.
I don't believe the response really meets either of those requirements. Which is fine, I'm not going to try to pluck a diamond out of coal, but it would certainly become part of the considerations when holistically considering the CA.
If the DigiCert folks want to share any added insight, that would likely be very useful. Otherwise, I defer to Wayne to see if he's happy with the explanation provided and the steps provided to prevent future confusion by QuoVadis/DigiCert.