The Mozilla CA Certificate policy says, in part: "8. All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy and MUST either be technically constrained or be publicly disclosed and audited.
* A certificate is deemed as capable of being used to issue new certificates if it contains an X.509v3 basicConstraints extension, with the cA boolean set to true. * These requirements include all cross-certified certificates which chain to a certificate that is included in Mozilla’s CA Certificate Program." I would propose that transitive disclosure not be required when the subject of the CA-certificate is also the subject of a certificate included directly in the Mozilla trust store. This will not change the total set of certificates disclosed, rather just limit duplicate disclosure. It also ensures that the program member who most closely controls or is responsible for the transitive certificates is handling the disclosure, which should help assure accuracy of the disclosures. However, to be clear, in the event that a CA not in the Mozilla trust store is cross-certified by two different program members, both are still responsible for full disclosure of all transitive certificates. This is due to the fact that each member is equally responsible; revocation of a cross-certificate issued by one member does not impact the cross-certificate issued by the other member. I think that this should be adopted for policy version 2.3. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
