Peter, Did you read the blog posts?
1)
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
2)
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
>
> Is there any data on this intermediate?
Does the Google blog post answer your question?
Note that they provided the cert chain:
https://drive.google.com/file/d/0B_OzbbAp1CG5NXVrYmFPbFhUV2s/view?usp=sharing
>
> - Was it publicly disclosed as per Mozilla's unconstrained subordinate policy?
In the next version of Mozilla's policy I plan to add information about
when CAs are required to disclose their unconstrained subordinates,
which I expect will be in line with the Baseline Requirements.
According to the Baseline Requirements section 17 and 17.4, pre-issuance
Readiness Audit is to be done before the SubCA begins issuing
publicly-trusted certs. Then a complete audit is due within 90 days of
issuing the first publicly-trusted cert.
>
> - Was it issued since their latest complete audit period ended and, if
> not, did their auditor flag it?
From Mozilla's blog post:
"CNNIC issued an unconstrained intermediate certificate that was labeled
as a test certificate and had a two week validity, expiring April 3, 2015."
CNNIC's most recent audit statement is 8/1/2014.
>
> - What response has their been from CNNIC on this issue?
The CNNIC representative notified me of the certificate revocation on
Sunday, without prompting from me. (I had not sent them email asking
about it.)
> How do they
> explain issuing a subordinate CA certificate with a private key not
> being on a HSM meeting the Baseline Requirements?
That is a very good question. Their customer apparently used a Palo Alto
Network Firewall Built in CA server to create their CSR request, and
planned to export it and import it into their CA server. Apparently
CNNIC was not aware that the customer had done this (until the incident
occurred).
It is a good question about how CAs can better inform their customers
and make sure their customers don't do things like this.
>
> - How many other CA certs has CNNIC issued which are not stored on HSMs?
>
Remember that it is CNNIC's customer who made this mistake. CNNIC, as
the CA, is still responsible for it. But I would be surprised if CNNIC
themselves have this problem, nonetheless I will ask them.
Kathleen