On Mon, 25 Jan 2021 22:21:31 -0700
For years, Camerfirma has promised to improve but failed to
deliver. In 2017, they promised technical controls over DNS
yet in 2019 they misissued for an unregistered domain
name because they "did not have the automatic controls yet"
>. In 2017,
they promised linting of all certificates, and are promising it
again in their latest remediation plan. In 2019 they assured
Mozilla that they had contractual control over their sub-CAs
including mandatory revocation and use of a central lint service
>. Yet their
sub-CA Intesa Sanpaolo continued to delay revoking certificates
> that were
misissued with invalid stateOrProvinceNames
>. Now Camerfirma
is once again proposing to use contractual controls to remediate their
Given Camerfirma's past behavior, why should Mozilla trust Camerfirma to
deliver on their latest remediation plan? Mozilla's users should not
have to assume the risk of trusting Camerfirma while we wait to see if
this time, Camerfirma finally becomes a competent and trustworthy CA.
Instead of making Mozilla users assume the risk, Camerfirma should be
distrusted now. When Camerfirma applies for re-inclusion, Mozilla can
evaluate whether the remediation plan has worked.
On Tue, 26 Jan 2021 16:01:31 -0700
Ben Wilson via dev-security-policy
> First, it has been Mozilla's long-standing position that, "We believe
> that the best approach to safeguarding secure browsing is to work with CAs
> as partners, to foster open and frank communication, and to be diligent
> in looking for ways to keep our users safe." So, expect that we will
> take a well-thought and deliberate approach to this issue with Camerfirma.
The other part of this is "participation in Mozilla's CA Certificate
Program is at our sole discretion, and we will take whatever steps are
necessary to keep our users safe."
Mozilla has been working with Camerfirma since 2017 through the
many compliance bugs in Bugzilla. In several cases, Camerfirma's
communications were lackluster or sluggish rather than "open and
- Failure to disclose misissuance that they were aware of:
- 4 week delay publishing incident report:
- 2 month delay publishing incident report:
- Failure to provide timely updates or explain reason for remediation
Mozilla's years-long effort to work with Camerfirma has not produced
sufficient improvement. It's now time for Mozilla to exercise its
discretion and distrust Camerfirma to keep its users safe.
> So, expect that we will take a well-thought and deliberate approach to this issue with Camerfirma.
As a point of comparison, the "Summary of Camerfirma's Compliance Issues"
thread has received 20 comments from 12 distinct community-members which
are overwhelmingly critical of Camerfirma, including several comments
calling explicitly for distrust. This new thread has attracted further
critical comments. The most similar previous incidents (small CAs with
a large number of compliance problems) were PROCERT and Certinomis.
Those discussion periods lasted just 14 and 30 days respectively, and
fewer people commented on them compared to the Camerfirma discussion.
The Camerfirma discussion has gone on for nearly 8 weeks at this point.
Camerfirma has received more deliberation than similar CAs did, and it's
inconsistent for Mozilla to prolong the discussion further.
> So there is another issue that needs to be considered, if distrust is
> chosen, whether to remove just the websites trust bit or to take action
> against all 4 roots, and if so, on what basis?
Like Wayne, I don't believe we have any reason to trust that Camerfirma
manages S/MIME certificate issuance any better than TLS certificate
issuance. Mozilla should distrust all Camerfirma roots so that both
Firefox and Thunderbird users are protected.