info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
PROCERT decision
486 views
Skip to first unread message
Gervase Markham
Sep 21, 2017, 12:23:28 PM9/21/17
to mozilla-dev-s...@lists.mozilla.org, Ryan Sleevi, Kathleen Wilson
The CA Certificates module owner and peers have come to a decision
regarding our investigations into the activities of the CA "PROCERT".
A large number of issues were raised regarding the operations and
practices of this CA:
https://wiki.mozilla.org/CA:PROCERT_Issues
Considering them, it seems clear to us that PROCERT have not been, and
continue not to be, adequately aware of the requirements placed upon
them by various RFCs, the CA/Browser Forum's Baseline Requirements, and
Mozilla Root Store Policy. They have not demonstrated sufficient control
of their issuance pipeline or sufficient checking of the results to
avoid regularly creating certificates which violate the requirements of
one or more of those documents. PROCERT have also made assurances to us,
via responses to CA Communications, that certain things were true which
are manifestly not so (e.g. that they were using properly-randomized
serial numbers).
In addition, PROCERT's response to these issues was inadequate. While
they revoked (most, but not all, of) the certificates which were flagged
as problematic, their written responses have been limited in number and
are very superficial. In some cases, it is clear that they have not
understood the issue that was raised. They have not, to our knowledge,
performed any root cause analysis which might allow us to have some
confidence that problems of this or a similar nature will not recur. We
have very little insight into their systems and what, if any, safeguards
they have in place.
It seems that PROCERT's belief is that revocation is an adequate remedy
for all of the problems listed. We disagree. Therefore, we feel we can
no longer trust PROCERT, and plan to proceed with removing their
"PSPProcert" certificate from our root program and root store.
Kathleen Wilson
Gervase Markham
Ryan Sleevi
regarding our investigations into the activities of the CA "PROCERT".
A large number of issues were raised regarding the operations and
practices of this CA:
https://wiki.mozilla.org/CA:PROCERT_Issues
Considering them, it seems clear to us that PROCERT have not been, and
continue not to be, adequately aware of the requirements placed upon
them by various RFCs, the CA/Browser Forum's Baseline Requirements, and
Mozilla Root Store Policy. They have not demonstrated sufficient control
of their issuance pipeline or sufficient checking of the results to
avoid regularly creating certificates which violate the requirements of
one or more of those documents. PROCERT have also made assurances to us,
via responses to CA Communications, that certain things were true which
are manifestly not so (e.g. that they were using properly-randomized
serial numbers).
In addition, PROCERT's response to these issues was inadequate. While
they revoked (most, but not all, of) the certificates which were flagged
as problematic, their written responses have been limited in number and
are very superficial. In some cases, it is clear that they have not
understood the issue that was raised. They have not, to our knowledge,
performed any root cause analysis which might allow us to have some
confidence that problems of this or a similar nature will not recur. We
have very little insight into their systems and what, if any, safeguards
they have in place.
It seems that PROCERT's belief is that revocation is an adequate remedy
for all of the problems listed. We disagree. Therefore, we feel we can
no longer trust PROCERT, and plan to proceed with removing their
"PSPProcert" certificate from our root program and root store.
Kathleen Wilson
Gervase Markham
Ryan Sleevi
Andrew
Sep 21, 2017, 7:34:07 PM9/21/17
to mozilla-dev-s...@lists.mozilla.org
Gervase Markham
Sep 28, 2017, 12:58:40 PM9/28/17
to Andrew
On 22/09/17 00:33, Andrew wrote:> Will there be any sort of deprecation
October batch of root changes, which will ship with Firefox 58.
Gerv
period for PROCERT certificates
> as with StartCom/Wosign & Symantec? Or is PROCERT small enough that
> you believe it's feasible to just immediately distrust them without
> any significant negative impact on the overall web ecosystem?
Kathleen has stated her current plan is to roll this change into the
> as with StartCom/Wosign & Symantec? Or is PROCERT small enough that
> you believe it's feasible to just immediately distrust them without
> any significant negative impact on the overall web ecosystem?
October batch of root changes, which will ship with Firefox 58.
Gerv
0 new messages