On 05/05/16 12:50, Kurt Roeckx wrote:
<snip>
Since Intermediate 2 is effectively technically constrained, you might
imagine that it should be exempt from the disclosure requirement. However,
the "certificate MUST include...extension" language in both the Mozilla CA
Policy and the BRs seems to clearly state that:
- Intermediate 1 need not be disclosed.
- Intermediate 2 MUST be disclosed.
Anyone disagree with my interpretation?
I would agree, since you can't be sure that there isn't an
alternative for Intermediate 1 that doesn't have the constraints.
That logic would imply that all of the "Not Trusted by Mozilla"
intermediates should be moved to "Disclosure required!", given that I
can't prove the non-existence of cross-certificates that would cause
these intermediates to become trusted!
AIUI, Mozilla are only requiring disclosure when a
trusted-and-unconstrained path does exist. This is indeed something I
cannot be sure of (except, as it happens, for intermediates under
Comodo's roots), but it is something that each CA should be capable of
being sure of.
https://crt.sh/mozilla-disclosures isn't a complete and authoritative
list. It attempts to avoid false positives and only deal with "known
knowns".
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
