On Wed, Apr 27, 2016 at 7:36 PM, Richard Barnes <rbar...@mozilla.com> wrote: > On Wed, Apr 27, 2016 at 8:41 PM, Peter Bowen <pzbo...@gmail.com> wrote: >> >> As far as I can tell, SalesForce does not have a way to show multiple >> certificates for one CA. So it is entirely possible to have all CAs >> disclosed but not have all CA certificates disclosed. (Some of the >> edges in the graph may not be present) >> >> Does disclosing all CAs meet the policy or does there need to be an >> update to support disclosing additional certificates? > > > Policy saith: > """ > All certificates that are capable of being used to issue new certificates, > and which directly or transitively chain to a certificate included in > Mozilla’s CA Certificate Program, MUST be operated in accordance with > Mozilla’s CA Certificate Policy and MUST either be technically constrained > or be publicly disclosed and audited. > """ > > That reads to me to say that all certificates that might be used in building > a chain to a trusted root need to be disclosed, not just one per CA.
Does this also include certificates that are revoked? The test is something like: (extensions:basicConstraints:CA == TRUE || extensions:keyUsage:keyCertSign == TRUE || extensions:keyUsage:crLSign == TRUE) && ((NOT extensions.include(extendedKeyUsage)) || extensions:extendedKeyUsage.include(anyEKU) || extensions:extendedKeyUsage.include(serverAuth)) && notAfter >= NOW && (NOT TechnicallyConstrained) > If our SalesForce system doesn't support multiple certs per CA, we might > have to come with a work-around until it does. Your SalesForce system seems to assume that a certificate and CA are equal instead of treating CAs as nodes and certificates as edges in a directed graph. I'm not sure how to best disclose additional certificates. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
