On Mon, Mar 14, 2016 at 4:08 PM, Kathleen Wilson <[email protected]> wrote:
> On 3/10/16 9:25 PM, Eric Mill wrote: > >> Would this be a good opportunity to ask CAs to do an audit of any >> undisclosed cross-signatures they may have to other unconstrained roots? >> >> For example, there were two recently discovered cross-signatures to the >> Federal Bridge by commercial CAs, Identrust and Symantec. Once it was >> identified that Identrust had not disclosed this cross-signature, >> Identrust >> revoked it: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1037590#c26 >> >> While services like censys.io and crt.sh are doing wonders for finding >> things like this, it would also be beneficial to have CAs use their own >> vantage point over their cross-signatures to identify other possible gaps >> between what Mozilla understands their root store to trust and what it >> could potentially be made to trust. >> > > > I agree, but not sure what else to say in the communication. > > ~~ > ACTION #2: Version 2.1 of Mozilla's CA Certificate Policy added the > requirement that CAs must provide public-facing documentation about > certificate verification requirements and annual public attestation of > conformance to the stated certificate verification requirements for all > certificates that are capable of being used to issue new certificates, and > which directly or transitively chain to their certificate(s) included in > Mozilla's CA Certificate Program that are not technically constrained as > described in section 9 of Mozilla's CA Certificate Inclusion Policy. > > Respond with the date by which you plan to complete entry into Mozilla's > CA Community in Salesforce of the PEM data, CP/CPS, and audit statements > for all certificates that are capable of being used to issue new > certificates, and which directly or transitively chain to your > certificate(s) included in Mozilla’s CA Certificate Program that are not > technically constrained as described in section 9 of Mozilla's CA > Certificate Inclusion Policy. This includes every intermediate certificate > (chaining up to your root certificates in Mozilla's program with the > Websites trust bit enabled) that is not Technically Constrained via > Extended Key Usage and Name Constraint settings. > > The date that you enter must be on or before [DATE TBD]. (Required) > ~~ > > If it is not clear enough that cross-certs are included in this, then what > additional wording do you recommend? I'll admit that I had overlooked this -- this completely describes what I was asking about. However, just for extra emphasis, it might be useful to work the phrase "cross-signature" or similar into the paragraph, to make sure that CAs are reminded to consider these when evaluating your action request. One way of doing this might be adding to the end of the first paragraph: "This can include cross-signatures that create a chain to issuing certificates owned by third parties, whether or not those issuing certificates are already part of the Mozilla CA Certificate Program." In any case, apologies for not noticing this section before making my request. -- Eric > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
