948175 - Distrust PM/SGDN's Root Certificate and Remove It Until the CA is Compliant with Mozilla Policies

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[David E. Ross]

Per reply from the Government of France (owner of PM/SGDN) to communication from Mozilla on 10 Jan 2013, that CA will not be in compliance with Mozilla's policies or CA/Browser Forum's Baseline Requirements for another 1.5 to 2.0 years.  Until such compliance is obtained, the PM/SGDN IGC/A root (serial number 39:11:45:10:94) presents the possibility of a security vulnerability to Mozilla users.  Indeed, a lapse at PM/SGDN has already resulted in an intermediate certificate being issued that created a MITM situation.  Therefore, this root should be marked immediately as distrusted and then removed from the NSS database as soon as possible.  

NOTE:  Merely marking the discrepant intermediate certificate as distrusted is not sufficient to bring PM/SGDN into compliance with Mozilla's policies or CA/Browser Forum's Baseline Requirements.  

See Government of France comment under <https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHdISmM3c05tb1dMQjlJclJqS21QNmc&output=html> regarding PM/SGDN's schedule for compliance.

Comment 1

[Kathleen Wilson]

I'm not excusing the mistake that was made, but...

Keep in mind that we expected CAs to need time to transition to version 2.1 of Mozilla's CA Certificate Policy which was published in February 2013.

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

Governments have the additional burden of needing to get budget approved for the changes; a major change that requires additional resources needs to go into the budget planning cycle and get budgeted for their next fiscal year.

On the topic of Government CAs... I think it would be nice to constrain them to certain TLDs.

Comment 2

[Kathleen Wilson]

Removed via Bug #1272156.