On 3/10/16 9:25 PM, Eric Mill wrote:
Would this be a good opportunity to ask CAs to do an audit of any
undisclosed cross-signatures they may have to other unconstrained roots?
For example, there were two recently discovered cross-signatures to the
Federal Bridge by commercial CAs, Identrust and Symantec. Once it was
identified that Identrust had not disclosed this cross-signature, Identrust
revoked it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c26
While services like censys.io and crt.sh are doing wonders for finding
things like this, it would also be beneficial to have CAs use their own
vantage point over their cross-signatures to identify other possible gaps
between what Mozilla understands their root store to trust and what it
could potentially be made to trust.
I agree, but not sure what else to say in the communication.
~~
ACTION #2: Version 2.1 of Mozilla's CA Certificate Policy added the
requirement that CAs must provide public-facing documentation about
certificate verification requirements and annual public attestation of
conformance to the stated certificate verification requirements for all
certificates that are capable of being used to issue new certificates,
and which directly or transitively chain to their certificate(s)
included in Mozilla's CA Certificate Program that are not technically
constrained as described in section 9 of Mozilla's CA Certificate
Inclusion Policy.
Respond with the date by which you plan to complete entry into Mozilla's
CA Community in Salesforce of the PEM data, CP/CPS, and audit statements
for all certificates that are capable of being used to issue new
certificates, and which directly or transitively chain to your
certificate(s) included in Mozilla’s CA Certificate Program that are not
technically constrained as described in section 9 of Mozilla's CA
Certificate Inclusion Policy. This includes every intermediate
certificate (chaining up to your root certificates in Mozilla's program
with the Websites trust bit enabled) that is not Technically Constrained
via Extended Key Usage and Name Constraint settings.
The date that you enter must be on or before [DATE TBD]. (Required)
~~
If it is not clear enough that cross-certs are included in this, then
what additional wording do you recommend?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
