On Tue, Jan 28, 2014 at 4:25 PM, Kathleen Wilson <[email protected]> wrote: > DigiCert has applied to include 5 new root certificates that will eventually > replace the 3 DigiCert root certificates that were included in NSS via bug > #364568. The request is to turn on all 3 trust bits and enable EV for all of > the new root certs. > > 1) DigiCert Assured ID Root G2 -- This SHA-256 root will eventually replace > the SHA-1 “DigiCert Assured ID Root CA” certificate. > > 2) DigiCert Assured ID Root G3 -- The ECC version of the Assured ID root. > > 3) DigiCert Global Root G2 -- This SHA-256 root will eventually replace the > SHA-1 “DigiCert Global Root CA” certificate. > > 4) DigiCert Global Root G3 -- The ECC version of the Global root. > > 5) DigiCert Trusted Root G4 -- This SHA-384 root will eventually replace the > SHA-1 “DigiCert High Assurance EV Root CA” certificate.
I object, only on the grounds that there is no technical need to have more than one root. I have a counter-proposal: 1. Add DigiCert Trusted Root G4 with all three trust bits set. 2. Ask DigiCert to issue versions of their intermediates that are signed/issued by "DigiCert Trusted Root G4". 3. Remove the existing DigiCert roots. 4. Preload all the intermediates signed by DigiCert Trusted Root G4 (with no trust bits, so they inherit trust from DigiCert Trusted Root G4) into NSS. Benefits of my counter-proposal: 1. Fewer roots for us to manage. 2. Sites that forget to include their intermediates in their TLS cert chain are more likely to work in Firefox, without us having to do AIA caIssuers, because of us preloading the intermediates. 3. Because of #1, there is potential for us to design a simpler root certificate management UI. 4. We can do optimizations with the preloading of intermediates to avoid building the whole chain every time. (That is, we can precalculate the trust of the intermediates.) This would set a good precedent for us to follow with all other CAs. By working with all CAs to do something similar, we would end up with one root per CA, and with a bunch of preloaded intermediates. Then we can separate the view of intermediates from the view of roots in the UI, and the UI will become much simpler. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
