On 13/05/16 13:41, Richard Barnes wrote:
IIRC, the disclosure requirement is in terms of certificates, and the
disclosure responsibility is on the issuing CA. So you would have one
disclosure per certificate, and the issuing CA would be responsible.
The Inclusion Policy [1] says that the responsibility is on "the CA that
has their certificate included in Mozilla's CA Certificate Program". I
don't see a mention of the "issuing CA".
The recent CA Communication said:
"ACTION #2: Beginning with Version 2.1 of Mozilla's CA Certificate
Policy, for any certificate which directly or transitively chains to the
root certificates you currently have included in Mozilla's CA
Certificate Program, which are capable of being used to issue new
certificates, and which are not technically constrained as described in
Section 9 of Mozilla's CA Certificate Inclusion Policy, you are required
to provide public-facing documentation about the certificate
verification requirements and annual public attestation of conformance
to said requirements. This includes certificates owned by, operated by,
or issued by third parties, whether or not those issuing certificates
are already part of Mozilla's CA Certificate Program, if they have been
cross-signed by a certificate that directly or transitively chains to
your root certificate."
IIUC, that last sentence is saying that multiple disclosures are
required (one disclosure per root to which the intermediate chains).
Have I misread it?
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
[2]
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o000000iHdtx
Note that you can end up with multiple parents for the same exact
certificate, but that requires that each parent have the same public key --
so if those parents are owned by different organizations, we would have a
problem!
On Fri, May 13, 2016 at 2:08 PM, Rob Stradling <rob.stradl...@comodo.com>
wrote:
Kathleen,
Some NSS built-in roots are cross-certified by other built-in roots.
When an intermediate cert chains to multiple roots, does it need to be
disclosed multiple times (once for each root)?
Or, if it only needs to be disclosed once, then how should we determine
which CA is responsible for disclosing? (Shortest chain, perhaps?)
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
